Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WhatsApp-delivered VBS Windows infection campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A new WhatsApp-delivered campaign is spreading malicious VBS files that launch a multi-stage Windows infection chain, raising the risk of persistence and remote access. The activity began in late February 2026 and uses social engineering plus living-off-the-land techniques to blend into normal activity. Operators rename legitimate Windows utilities and fetch payloads from AWS, Tencent Cloud, and Backblaze B2. The chain ends with malicious MSI packages and tools such as AnyDesk, which can preserve control and support data theft or additional malware deployment.

Related Happenings

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Open Happening

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

Timeline

  1. 01.04.2026 14:49 2 articles · 1mo ago

    WhatsApp-delivered VBS Windows infection campaign

    Initial Disclosure

    The first stage uses malicious **VBS files** sent over **WhatsApp** as the user-execution lure. Once run, the scripts drop renamed Windows utilities and start the infection chain from a hidden directory in **C:\ProgramData**.

    Show sources
    Open in new tab