Find notable cyber news and cases, enriched with sources, timelines, and signals.

WhatsApp-delivered VBS Windows infection campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A new WhatsApp-delivered campaign is spreading malicious VBS files that launch a multi-stage Windows infection chain, raising the risk of persistence and remote access. The activity began in late February 2026 and uses social engineering plus living-off-the-land techniques to blend into normal activity. Operators rename legitimate Windows utilities and fetch payloads from AWS, Tencent Cloud, and Backblaze B2. The chain ends with malicious MSI packages and tools such as AnyDesk, which can preserve control and support data theft or additional malware deployment.

Related Happenings

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

KongTuke Microsoft Teams initial access campaign

Campaign
H score42 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Timeline

  1. 01.04.2026 14:49 2 articles · 3mo ago

    WhatsApp-delivered VBS Windows infection campaign

    Initial Disclosure

    The first stage uses malicious **VBS files** sent over **WhatsApp** as the user-execution lure. Once run, the scripts drop renamed Windows utilities and start the infection chain from a hidden directory in **C:\ProgramData**.

    Show sources