ProBackend
phishing malware campaigns
2 hours ago7 min read

How a WhatsApp VBS File Turned Into a Corporate Remote Access Tool

A coordinated malware campaign targets WhatsApp users with deceptive VBScript files that install ManageEngine Endpoint Central, granting attackers persistent remote control over Windows systems.

Maura Delgado

You get a message on WhatsApp. No text. Just a file: "Statement of Debt(30K).vbs".

You know the sender. Your accountant. Your procurement manager. Someone you’ve worked with for years.

You open it.

And suddenly, your entire company is at the mercy of someone on the other side of the world who now has full control over your desktop.

This isn’t a phishing email. It’s a silent takeover—delivered through the app you use to coordinate lunch orders and share meeting notes.

Kaspersky’s analysis of this campaign, active since early June 2026, shows it’s not just clever. It’s terrifyingly efficient. It doesn’t need zero-days. It doesn’t need malware that looks like malware. It just needs you to trust the person you think you’re talking to.

And it’s working.

Eighty percent of confirmed victims are in Malaysia. But the attack has hit Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. That’s not random. That’s targeted. Someone spent months figuring out where WhatsApp is used for business—and then weaponized it.

The file? VBS. VBScript. A relic from Windows 98. It’s been around since before smartphones. And yet, here it is, quietly installing enterprise remote management software on your machine.

No ransomware. No data destruction. Just… access.

And that’s the point.

Because once you have access, you don’t need to destroy. You just need to wait.

And watch.

And learn.

This isn’t an attack. It’s an infiltration.

The Three-Stage Silent Takeover

Let’s break down what actually happens when you open that file.

Stage 1: The Trapdoor

The VBS file doesn’t do much on its own. It’s just the key. It creates a hidden folder under C:\Users\Public\Documents\—a place Windows ignores, and most antivirus tools don’t scan. Then it downloads two more scripts.

These aren’t just scripts. They’re obfuscated nightmares. Variable names randomized. Strings stitched together one character at a time. Junk code inserted between real commands. And buried in there? Simplified Chinese comments. "This is for Windows Update." "This is a Microsoft service." The kind of thing a developer might leave behind if they were trying to make the code look legitimate.

It’s not just hiding. It’s pretending.

Stage 2: Disabling the Guardrails

One of those scripts? It’s a UAC bypass. Repeatedly. Every 2 seconds. For minutes. It tries to change the registry key ConsentPromptBehaviorAdmin from "1" to "0"—which means Windows stops asking for permission when an admin action runs.

Why? Because if you’re sitting there watching your screen, you’ll see the UAC popup. You’ll click "No." And the attack dies.

But if it runs in the background? If you’re in a meeting? If you’re on a call? If you’re not paying attention?

It wins.

It doesn’t need you to click "Yes." It just needs you to be distracted.

And then it downloads the ZIP.

Stage 3: The Legit Tool

The ZIP contains ManageEngine Endpoint Central. Not malware. Not a backdoor. Not a trojan.

It’s a legitimate enterprise RMM tool. Used by IT departments to remotely patch systems, deploy software, and manage endpoints.

The attacker didn’t build a new tool. They stole the one already in your network.

They’ve pre-configured it with their own server address. Their own certificates. Their own credentials.

The installer runs silently through msiexec.exe. No progress bar. No pop-up. No "Installation Complete" message.

And then? The agent connects to their server.

And now? They can see your screen. They can type on your keyboard. They can install anything they want. They can move laterally to your server. They can steal your customer database. Your payroll records. Your financial statements.

And you? You’ll never know.

Because the tool looks like yours.

And that’s the genius of it.

The Social Engineering Isn’t Subtle. It’s Perfect.

The file names? "Financial Reports.vbs". "Account Statement.vbs". "Outstanding Payment List.vbs".

Localized into Portuguese, French, German, and Malay.

No message. No context. Just the file.

Why?

Because you don’t need to convince someone to open a file if you make them think it’s already theirs.

Think about it: if someone you know sends you a document with no explanation, your brain doesn’t say "This is suspicious." It says, "Oh, they must’ve forgotten to type something. I’ll open it later."

That’s the trap.

It doesn’t rely on fear. It doesn’t use urgency. It doesn’t threaten legal action.

It uses trust.

And it exploits the fact that we now use WhatsApp for business.

We use it to confirm delivery times. To send invoices. To say "Can you send me the spreadsheet?"

And now? We’re using it to receive executable files.

And we’re doing it without blinking.

The Ghost in the Machine: Who’s Behind This?

Kaspersky found an IP address: 202.61.160.201.

It’s been seen before.

In infrastructure tied to ValleyRAT and Gh0st RAT—malware families linked to Chinese-speaking threat actors.

The Chinese comments in the scripts? They’re not random. They’re intentional. They’re breadcrumbs.

But here’s the thing: Kaspersky says they can’t attribute this with high confidence.

And that’s the point.

This isn’t a nation-state. Not yet.

It’s a contractor.

A freelance hacker.

Someone who bought a stolen WhatsApp account on the dark web. Who knew how to write a VBS script. Who knew that ManageEngine was used by 20% of mid-sized companies.

And who realized: you don’t need to be a genius to break in.

You just need to know where the door is.

And that door? It’s your WhatsApp chat.

What You Should Do Right Now

Here’s the brutal truth: you can’t stop this with firewalls.

You can’t stop this with antivirus.

You can’t stop this with endpoint detection.

Because the tool they install? It’s legitimate.

The file? It’s not malicious code.

It’s a human mistake.

So here’s what you do:

  1. Never open VBS, VBE, JS, PS1, BAT, or CMD files from WhatsApp—ever. Not from your boss. Not from your cousin. Not from your ex. If it’s a script file, delete it. Immediately. No exceptions.

  2. Verify everything. If someone sends you a "financial document" on WhatsApp, call them. Text them. Email them. Ask: "Did you send me this?" If they say no? Delete it. If they say yes? Ask them to resend it via email. Or upload it to your shared drive. Not WhatsApp.

  3. Monitor your endpoints. If you see ManageEngine Endpoint Central installed on a machine that doesn’t belong to IT? That’s not an accident. That’s a breach. Investigate immediately.

  4. Train your team. This isn’t about phishing. It’s about platform risk. You train people not to open .exe files from strangers. Now you have to train them not to open .vbs files from friends.

  5. Use a password manager. If your WhatsApp account was compromised, your password was weak. Or reused. Or leaked. Fix that. Now.

The Bigger Picture: We’re Already Living in the Post-Email Era

This attack didn’t come from a spam filter.

It came from a chat app.

And that’s the future.

We stopped trusting email. We moved to Slack. To Teams. To WhatsApp.

And we stopped thinking about security.

We thought: "It’s just a message."

But messages can carry files.

And files can carry code.

And code can carry control.

This isn’t the end of phishing.

It’s the beginning of something worse.

The next attack won’t be a VBS file.

It’ll be a voice note.

Or a video.

Or a PDF that says "Review this contract"—but when you open it, it runs a PowerShell script.

We’re not ready.

And we’re not thinking about it.

Because we still think security is about firewalls.

It’s not.

It’s about trust.

And we’re giving it away for free.

Final Thought: Don’t Just Block Files. Block Behavior.

I’ve seen companies spend millions on EDR tools.

And then let their employees open .vbs files on WhatsApp.

It’s like putting a steel door on your house—and leaving the key under the mat.

The solution isn’t better detection.

It’s better habits.

So next time you get a file on WhatsApp?

Don’t open it.

Ask yourself:

"Would an accountant send me a .vbs file?"

And if the answer is no?

Then don’t open it.

Because you’re not just protecting your machine.

You’re protecting your company.

And your job.

And your reputation.

And maybe, just maybe… your life.

Because the attacker doesn’t care if you’re a CFO or a receptionist.

They just care if you click.

And you just did.

More engineering analysis and backend guidance from ProBackend.
More blogs