WhatsApp VBScript attachment distribution campaign
Campaign
Summary
Hide ▲
Show ▼
The active WhatsApp VBScript campaign is spreading malicious attachments that can lead to remote access on victim systems. It targets WhatsApp Desktop and WhatsApp Web users across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam, with the highest victim concentration in Malaysia. The operation uses deceptive file names that impersonate business and financial documents to trick recipients into opening the attachment. The scripts launch through WScript.exe, pull additional stages, and end with the installation of legitimate ManageEngine RMM Central software.
Related Happenings
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
How related:
Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim's system.
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityHow related: Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim's system.
About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
Campaign
H score33
First: 22.05.2026 19:20
Last: 22.05.2026 19:20
Sources 1
About this happening:
A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
Ghostwriter Prometheus-themed phishing campaign targeting Ukraine government organizations
CampaignAbout this happening: A **Ghostwriter** phishing campaign is targeting **Ukraine government organizations** with **Prometheus-themed lures**, increasing the risk of credential theft and follow-on acces...
JanelaRAT malware activity targeting Latin American banks
Malware Activity
H score29
First: 13.04.2026 20:15
Last: 13.04.2026 20:15
Sources 1
About this happening:
**JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
JanelaRAT malware activity targeting Latin American banks
Malware ActivityAbout this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
Campaign
H score38
First: 01.04.2026 15:36
Last: 01.04.2026 15:36
Sources 1
About this happening:
**Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe
CampaignAbout this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...
Timeline
-
23.06.2026 08:38 2 articles · 3h ago
Malicious WhatsApp VBScript attachments install ManageEngine RMM Central
Initial DisclosureDirect WhatsApp messages are being used to spread malicious VBScript attachments that masquerade as business and financial documents to WhatsApp Desktop and WhatsApp Web users across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam, with the highest victim concentration in Malaysia. The script chain launches through WScript.exe, pulls additional VBScript stages, attempts to tamper with Windows User Account Control (UAC), and installs ManageEngine RMM Central to enable remote access on victim systems. Kaspersky also noted an infrastructure overlap at 202.61.160[.]201 with prior Gh0st RAT and ValleyRAT activity, while the compromise method for the WhatsApp accounts remains unclear.
Show sources
- WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool — thehackernews.com — 23.06.2026 08:38
- WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool — thehackernews.com — 23.06.2026 08:38