WhatsApp messages carrying seemingly harmless attachments are being used to push a multi-stage malware chain onto Windows systems, with attackers relying on Visual Basic Script files, cloud-hosted payloads and unsigned Microsoft Installer packages to secure long-term remote access to compromised machines. Microsoft said the activity was observed from late February 2026 and was driven by social-engineering tactics rather than any newly disclosed flaw in WhatsApp itself. Malware chain hides inside trusted channels
The operation reflects a broader shift in cybercrime tactics, where attackers exploit familiar consumer platforms and legitimate Windows tools instead of using noisy malware that is easier to spot. According to Microsoft’s analysis, the initial lure arrives through WhatsApp as a VBS attachment. When a Windows user opens the file, the script creates hidden folders under ProgramData and copies built-in tools such as curl. exe and bitsadmin. exe under misleading names, allowing the attack to blend into ordinary system activity.
From there, the infection moves quickly into a second stage. The altered utilities are used to fetch follow-on scripts from cloud infrastructure hosted on AWS, Tencent Cloud and Backblaze B2. That choice matters because traffic to major cloud providers can appear routine to security teams and corporate filters, making the malicious downloads harder to distinguish from legitimate activity. Microsoft described this as a mix of social engineering and living-off-the-land techniques, an approach designed to lower visibility while improving the odds that the chain will run to completion.
Security analysts say the campaign is notable less for a novel exploit than for the careful layering of familiar tools. Malwarebytes, citing Microsoft’s findings, said the attackers lean on trusted services and built-in Windows components rather than obvious malware droppers. That puts the burden on user vigilance and endpoint controls, especially in environments where file extensions are hidden and staff treat chat attachments with less suspicion than email attachments.
The technical chain also shows a strong emphasis on persistence. After the secondary scripts are placed, the malware attempts to tamper with User Account Control settings and associated registry entries to weaken safeguards and secure elevated execution. Microsoft said the process repeatedly tries to launch commands with higher privileges until elevation succeeds or the sequence is interrupted. Once that stage is complete, unsigned MSI installers are deployed, giving the attackers a durable foothold on the machine.
One of the more striking elements in the case is the reported use of legitimate remote-access software, including AnyDesk, as part of the later-stage payload set. That gives intruders hands-on access while complicating forensic review, because some of the software involved may not appear inherently malicious in isolation. For defenders, that means detection has to focus on context: how the installer arrived, which processes launched it, and whether system binaries were renamed to disguise activity.
The campaign also underlines a growing security challenge around consumer messaging tools in workplace settings. WhatsApp’s desktop client is widely used as an extension of mobile communications, including for informal business exchanges, customer contacts and file sharing. That familiarity gives attackers a ready-made trust channel. Unlike classic email phishing, where users may already be primed to expect danger, chat-based delivery can feel conversational and immediate, increasing the chance that a file will be opened without scrutiny.
Microsoft said defenders can hunt for mismatches between a file’s displayed name and its embedded Portable Executable metadata, since the renamed binaries in this campaign still retain original identifiers such as curl. exe and bitsadmin. exe. The company also pointed to attack surface reduction rules aimed at blocking obfuscated scripts, preventing untrusted executables from running, and stopping JavaScript or VBScript from launching downloaded content. Those recommendations align with a wider industry view that script controls, signed installer policies and close monitoring of cloud egress are becoming basic requirements rather than optional extras.
Topics
Technology