Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

Microsoft has disclosed a new malware campaign targeting Windows users through WhatsApp messages that deliver malicious Visual Basic Script (VBS) files. Active since late February 2026, the attack chain employs multi-stage infection techniques to establish persistence and enable remote access to compromised systems. The malware exploits UAC bypass mechanisms to escalate privileges without user consent. The initial delivery vector through WhatsApp increases the likelihood of successful infections given the platform's widespread personal and business use. Organizations should warn users about unexpected VBS file attachments via messaging apps, restrict script execution where possible, and monitor for suspicious VBS activity on endpoints.

Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into

Microsoft has disclosed a new malware campaign targeting Windows users through WhatsApp messages that deliver malicious Visual Basic Script (VBS) files. Active since late February 2026, the attack chain employs multi-stage infection techniques to establish persistence and enable remote access to compromised systems. The malware exploits UAC bypass mechanisms to escalate privileges without user consent. The initial delivery vector through WhatsApp increases the likelihood of successful infections given the platform's widespread personal and business use. Organizations should warn users about unexpected VBS file attachments via messaging apps, restrict script execution where possible, and monitor for suspicious VBS activity on endpoints. Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into