WhatsApp Attack Chain Delivers VBS, Cloud Payloads, MSI Backdoor

A newmalware campaign leverages WhatsApp messages to deliver malicious Visual Basic Script (VBS) files to Windows systems, facilitating persistent remote access via unsigned MSI installers.

The attack initiates when users receive WhatsApp messages containing VBS attachments disguised as benign files. Upon execution on Windows, these scripts launch hidden folders under C:\ProgramData and copy legitimate Windows utilities (curl.exe, bitsadmin.exe). The binaries are renamed to deceptive filenames (e.g., netapi.dll, sc.exe) while retaining original PE metadata (OriginalFileName field) identifying them as curl.exe and bitsadmin.exe.

Microsoft Defender Experts documented the campaign starting in late February 2026. The metadata mismatch serves as a detection hook for security solutions inspecting PE headers.

Attackers leverage reputable cloud platforms (AWS S3, Tencent Cloud, Backblaze B2) to host secondary VBS payloads (auxs.vbs, 2009.vbs, WinUpdate_KB5034231.vbs), tunneling downloads through these services to mimic legitimate enterprise traffic and evade simple domain/IP blocking.

This approach reflects a trend of weaponizing trusted cloud infrastructure for droppers and C2 resources, relying on Living-off-the-Land Binaries (LOLBins) and reputable providers to lower the attack’s profile, especially in environments prioritizing unknown binaries over behavioral analysis.

Secondary scripts tamper with UAC settings and registry keys (HKLM\Software\Microsoft\Win\ConsentPromptBehaviorAdmin) to suppress prompts and achieve silent elevation. These actions are detectable via repeated UAC-related registry modifications and anomalous elevated command shells spawned from script hosts or renamed Windows tools.

In the final stage, the campaign deploys unsigned MSI installers (Setup.msi, WinRAR.msi, LinkPoint.msi, AnyDesk.msi) mimicking enterprise software. The absence of publisher signatures is a key indicator of malicious intent. Once installed, solutions like AnyDesk provide persistent interactive access for data theft, lateral movement, or further malware deployment.

MSI deployment blends into routine software rollouts if code-signing and reputation checks are bypassed. Microsoft recommends restricting script hosts (wscript, cscript, mshta), enabling cloud-delivered protection, EDR in block mode, attack surface reduction rules, and tamper protection via Microsoft Defender. Enhanced traffic inspection for Tencent Cloud and Backblaze B2 is advised, alongside monitoring for HKLM\Software\Microsoft\Win registry changes and UAC tampering.

Related Articles

Back to top button