ZCyberNews
中文
MalwareHigh3 min read

WhatsApp VBScript Campaign Delivers RMM Remote Access Malware

Kaspersky details an active global campaign distributing VBS files via WhatsApp that installs UEMS RMM software, enabling persistent remote access across 12 countries including...

TopicMalware
Process tree showing WScript.exe spawned by WhatsApp.Root.exe during VBScript execution

Executive Summary

A widespread malware campaign is actively distributing malicious VBScript files through WhatsApp Direct Messages, ultimately installing legitimate Remote Monitoring and Management (RMM) software that grants attackers persistent remote access to victims' systems. Kaspersky researchers documented the campaign in June 2026, noting that it has affected users across at least 12 countries — with Malaysia seeing the highest concentration of victims — and remains ongoing at the time of publication.

The infection chain requires no exploit; it relies entirely on social engineering. Attackers send .vbs or .vbe files masquerading as invoices, debt notices, bank statements, and other financial documents. When the recipient double-clicks the attachment within WhatsApp Desktop or WhatsApp Web, Windows Script Host (WScript.exe) executes the script, which then downloads and runs additional VBScript components that disable User Account Control (UAC) and ultimately install a UEMS RMM agent. The campaign primarily targets WhatsApp Desktop and WhatsApp Web users; the exact method by which attackers compromise WhatsApp accounts to distribute the malware remains unknown, according to Kaspersky.

Technical Analysis

Kaspersky's analysis, published June 22, 2026, details a three-stage infection chain. Stage 1 begins when a user opens the VBS attachment from within WhatsApp Desktop. Telemetry shows WScript.exe spawned directly by WhatsApp.Root.exe, with the command line referencing the attachment stored in WhatsApp Desktop's local transfer directory:

"C:\Windows\System32\WScript.exe" "C:\Users\<username>\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\Sessions\<session_identifier>\Transfers\<YYYY-MM>\financial reports(s).vbs"

On WhatsApp Web, execution occurs through explorer.exe (if the user opens the downloaded file from the Downloads folder) or through the browser process.

Stage 2 involves the initial VBScript retrieving and executing secondary VBScript payloads. One variant modifies Windows registry settings to lower UAC protection, reducing the likelihood that subsequent installations trigger elevation prompts. Another variant downloads a ZIP archive containing additional scripts and extracts them for execution.

Stage 3 installs a legitimate UEMS RMM agent, which communicates with an attacker-controlled server. The RMM software provides full remote desktop control, file transfer, and command execution capabilities. Because the RMM tool is a legitimate commercial product, it may evade detection by endpoint protection that trusts signed or known-good binaries.

Kaspersky observed that the VBScript samples contain extensive comments in Chinese referencing Windows Update components, certificate validation, and system integrity checks — likely an attempt to mislead analysts or bypass automated sandbox detection. File names were localized into Portuguese, French, German, and Malay, suggesting the campaign tailors lures to specific regions.

Indicators of Compromise

Kaspersky published a list of observed file names used in the campaign. These are representative samples; the actual set is likely larger:

  • Financial Reports.vbs
  • Debt confirmation.vbs
  • Statement of Debt(30K).vbs
  • Outstanding Payment List.vbs
  • Account Statement.vbs
  • Debt Statement.vbs
  • Billing Statement (2).vbs
  • Promissory_Note(b).vbs
  • Extrato de Conciliação.vbs (Portuguese)
  • Aviso de dívida.vbs (Portuguese)
  • Le formulaire de demande le plus récent.vbs (French)
  • Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs (German)
  • Penyata bank.vbs (Malay)
  • Sila semak bil anda.vbs (Malay)

Kaspersky's full IOCs, including attacker-controlled UEMS server IP addresses and domains, are available in the original Securelist post.

Tactics, Techniques & Procedures

The campaign employs a straightforward but effective TTP chain:

  • Initial Access (T1566.003): Phishing via third-party messaging service — VBS files sent as WhatsApp attachments.
  • Execution (T1204.002): User double-clicks the attachment, triggering WScript.exe.
  • Defense Evasion (T1112): Registry modification to disable UAC.
  • Defense Evasion (T1036.005): File names masquerade as financial documents; script comments

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#whatsapp#vbscript#rmm#remote-access#social-engineering#kaspersky#uems

Related Articles

OceanLotus APT Uses PyPI Packages to Deliver ZiChatBot MalwareHIGH
Malware

OceanLotus APT Uses PyPI Packages to Deliver ZiChatBot Malware

Kaspersky attributes a PyPI supply chain campaign to OceanLotus APT, using fake wheel packages to drop ZiChatBot malware that abuses Zulip chat APIs for C2 on Windows and Linux.

4 min readOceanLotus
ZiChatBot Malware Spreads via PyPI Packages Using Zulip C2HIGH
Malware

ZiChatBot Malware Spreads via PyPI Packages Using Zulip C2

Three PyPI packages deliver ZiChatBot malware on Windows and Linux using Zulip chat APIs for stealthy C2 — Kaspersky identifies 12+ victim organizations globally.

4 min readZiChatBot
CrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS OfferingHIGH
Malware

CrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS Offering

Kaspersky details CrystalX RAT, a MaaS malware with spyware, credential theft, and prankware features targeting Windows users globally since mid-2025.

3 min readCrystalX