Kaspersky has recently discovered a crimeware campaign that distributes malicious VBScript files via direct messages on WhatsApp.
Victims have been identified across multiple countries and territories, including Malaysia, Brazil, Singapore, Taiwan and Vietnam, with the highest number of observed victims located in Malaysia. The use of multiple languages in file names also points to broad regional targeting, especially across Europe.
The Kaspersky Global Research and Analysis Team (GReAT) revealed a campaign in June 2026 in which a cybercriminal group uses compromised WhatsApp accounts to send malicious attachments. Messages come from known contacts, enhancing the chances of recipients opening the files. The malware, once installed, grants remote access to systems by utilizing standard administrative functions typically reserved for IT support and management.
The social engineering component utilizes file names that imitate common business documents such as invoices and bank statements, localized in multiple languages including English and Portuguese. The VBScript samples also feature comments and metadata that resemble authentic Microsoft Windows Update components.
“In this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localized across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure.”
Fareed Radzi, security researcher at Kaspersky GReAT
The execution flow of the attachment follows a multi-stage process on the affected system. Once opened, the file triggers a scripted sequence on the device. The initial script creates a working directory under C:\Users\Public\Documents\, then retrieves additional script files from external infrastructure and executes them using Windows Script Host. These follow-up scripts perform additional system actions and download a compressed archive from the same infrastructure. The archive contains an installation package for remote monitoring and management software.
Check the full report on Securelist, link below.
Kaspersky GReAT experts recommend users to:
- Be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts, as they may be able to execute malware.
- Do not open script and executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 unless their legitimacy has been independently verified.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.