Home > Security > Security News

WhatsApp VBScript Campaign Installs ManageEngine RMM, Kaspersky Warns

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
WhatsApp Logo Bokeh Background
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Campaign Discovered: A June 2026 malware campaign is spreading malicious VBScript files via WhatsApp direct messages.
  • RMM Abuse: The infection chain ultimately installs a preconfigured ManageEngine Endpoint Central (UEMS) RMM agent for remote access.
  • Wide Reach: Victims span Brazil, India, Mexico, the U.K., Spain, Taiwan, Australia, Russia, and more.

An active malware campaign distributes malicious VBScript (VBS) files through WhatsApp direct messages. First observed in June 2026, the operation targets WhatsApp Desktop and WhatsApp Web users, with roughly 80% of victims located in Malaysia, Kaspersky researcher Fareed Radzi has discovered.

How the WhatsApp VBScript Attack Works

The threat actor gained access to several WhatsApp accounts and used them to push the malicious attachments to contacts on the compromised users' lists. Messages contained only the file, with no accompanying text. 

Lures relied on financial-themed filenames such as Financial Reports.vbs, Account Statement.vbs, and Debt Statement.vbs, with several localized into Portuguese, French, German, and Malay.

Overview of the WhatsApp-based VBScript infection chain | Source: SecureList by Kaspersky
Overview of the WhatsApp-based VBScript infection chain | Source: SecureList by Kaspersky

According to Kaspersky, once executed via Windows Script Host, the Stage 1 VBScript creates a working directory and downloads two secondary payloads:

WhatsApp messages containing the malicious VBScript file observed across multiple accounts | Source: alleged victims’ social media posts via Kaspersky
WhatsApp messages containing the malicious VBScript file observed across multiple accounts | Source: alleged victims’ social media posts via Kaspersky

ManageEngine Endpoint Central Deployment and Attribution

The ZIP archive contains a preconfigured deployment package of the legitimate ManageEngine Endpoint Central Remote Monitoring and Management (RMM) software, including certificates and configuration files. The setup1.vbs launcher silently installs the agent through msiexec.exe, granting persistent remote access.

Victims were identified across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. 

Chinese-language comments and an infrastructure overlap, IP address 202.61.160.201, previously tied to ValleyRAT and Gh0st RAT activity, led Kaspersky to assess with low confidence that a Chinese-speaking operator may be responsible.

In March, Russian hackers targeted Signal and WhatsApp accounts of high-value individuals in a large-scale phishing operation.

Add a Comment
Related
Meta 3D Logo
Meta Pauses Model Capability Initiative (MCI) Over Data Security Concerns
One unlocked padlock among locked padlocks
Tata Electronics Confirms Data Breach Affecting Apple, Tesla Supplier
OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Texas Parks & Wildlife (TPWD) Data Breach Affects 3 Million Individuals
Brazil Suspects Hack Behind Unauthorized 'Misanthropy' National Phone Alert
Weekly Cybersecurity Roundup: Deepfake Discussions Rose 600 Percent on Crime Forums as Skill Gaps Hampered Defenders
Most Popular
Meta 3D Logo
Meta Pauses Model Capability Initiative (MCI) Over Data Security Concerns
One unlocked padlock among locked padlocks
Tata Electronics Confirms Data Breach Affecting Apple, Tesla Supplier
The Next AI Operations Challenge: From Seeing Problems to Solving Them With Zero-Touch Visibility
OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Texas Parks & Wildlife (TPWD) Data Breach Affects 3 Million Individuals
Brazil Suspects Hack Behind Unauthorized 'Misanthropy' National Phone Alert
Meta Pauses Model Capability Initiative (MCI) Over Data Security Concerns
Tata Electronics Confirms Data Breach Affecting Apple, Tesla Supplier
The Next AI Operations Challenge: From Seeing Problems to Solving Them With Zero-Touch Visibility
OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Texas Parks & Wildlife (TPWD) Data Breach Affects 3 Million Individuals
Brazil Suspects Hack Behind Unauthorized 'Misanthropy' National Phone Alert

Most Popular
Meta 3D Logo
Meta Pauses Model Capability Initiative (MCI) Over Data Security Concerns
One unlocked padlock among locked padlocks
Tata Electronics Confirms Data Breach Affecting Apple, Tesla Supplier
The Next AI Operations Challenge: From Seeing Problems to Solving Them With Zero-Touch Visibility
OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Texas Parks & Wildlife (TPWD) Data Breach Affects 3 Million Individuals
Brazil Suspects Hack Behind Unauthorized 'Misanthropy' National Phone Alert
Meta Pauses Model Capability Initiative (MCI) Over Data Security Concerns
Tata Electronics Confirms Data Breach Affecting Apple, Tesla Supplier
The Next AI Operations Challenge: From Seeing Problems to Solving Them With Zero-Touch Visibility
OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Texas Parks & Wildlife (TPWD) Data Breach Affects 3 Million Individuals
Brazil Suspects Hack Behind Unauthorized 'Misanthropy' National Phone Alert

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: