WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
Summary
Hide ▲
Show ▼
VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The scripts are disguised as business and financial documents and are launched with WScript.exe. On execution, they fetch additional components and can install ManageEngine RMM Central, giving the operator control over infected machines. The activity is affecting WhatsApp Desktop and WhatsApp Web users across multiple countries, with the highest concentration in Malaysia.
Related Happenings
WhatsApp VBScript attachment distribution campaign
Campaign
H score42
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
How related:
Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software.
About this happening:
The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript attachment distribution campaign
CampaignHow related: Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software.
About this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Timeline
-
23.06.2026 08:38 2 articles · 3h ago
WhatsApp VBScript attachments install ManageEngine RMM Central on victim systems
Initial DisclosureKaspersky reported an active WhatsApp campaign targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam, with the highest concentration of victims in Malaysia. The malicious VBScript attachments are disguised as business and financial documents, launched with WScript.exe, and used to fetch additional VBScript components before downloading and executing a ZIP file that installs ManageEngine RMM Central to enable remote access; the activity remains unattributed, with infrastructure overlap at 202.61.160[.]201 linked to Gh0st RAT and ValleyRAT activity.
Show sources
- WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool — thehackernews.com — 23.06.2026 08:38
- WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool — thehackernews.com — 23.06.2026 08:38