- WhatsApp files deliver VBS malware that silently installs and takes full control
- Hidden folders and renamed Windows tools let attackers interfere with normal operations
- Malware fetches secondary scripts from trusted cloud services to avoid detection
Microsoft has identified a multi-stage malware campaign that uses WhatsApp to deliver Visual Basic Script (VBS) files and exploits the trust users have in well-known messaging platforms.
Attackers send files that appear harmless through WhatsApp, but opening them triggers a silent installation that gives adversaries covert system control.
When executed, the scripts create hidden folders under C:ProgramData and drop renamed versions of legitimate Windows tools, such as curl.exe renamed to netapi.dll and bitsadmin.exe renamed to sc.exe.
The article continues below
By embedding these tools in normal system paths, attackers ensure that the tools interfere with routine operations while security solutions can still capture the original metadata.
The malware changes system settings to start automatically after every reboot, ensuring survival even when users believe they have removed the threat.
Microsoft warns that this approach combines social engineering with live-off-the-land techniques and increases successful execution without raising immediate alerts.
“By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution,” Microsoft said in a blog post.
After the initial infection, the malware retrieves secondary payloads from cloud services, including AWS S3, Tencent Cloud, and Backblaze B2.
Delivered as auxs.vbs and WinUpdate_KB5034231.vbs, these droppers leverage trusted cloud infrastructure and disguise malicious downloads as legitimate network traffic.
The malware also changes User Account Control settings and repeatedly tries to run cmd.exe with elevated privileges until it succeeds.
The malware modifies registry entries under HKLMSoftwareMicrosoftWin to suppress UAC prompts and grant administrative rights without user awareness.
In the final stage, attackers deploy malicious Microsoft Installer (MSI) files such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi on compromised systems.
These unsigned installers give attackers persistent remote access and enable data theft, further malware deployment, or integration of infected machines into botnets.
Microsoft recommends monitoring repeated tampering with UAC and registry changes as key indicators of compromise.
Organizations should restrict execution of script hosts, monitor renamed system tools, and educate users about social engineering tactics.
Microsoft emphasizes the importance of cloud-delivered protection, tamper protection, and endpoint detection and response that work in block mode.
Security teams must monitor cloud traffic closely, as conventional detection methods can have difficulty distinguishing these operations from routine business activity.
AI tools can help analyze behavioral anomalies, correlate telemetry and identify suspicious WhatsApp attachments.
Failure to exercise caution can result in permanent data loss as attackers gain full device control and access to sensitive personal information.
Microsoft emphasizes that even a single careless click can allow this malware to bypass common endpoint protections.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
