Heads-up: a global phishing campaign is sliding into WhatsApp chats carrying what look like boring business documents but are actually booby-trapped scripts. Messages come from compromised friends and colleagues and tempt recipients with filenames like invoices, reports, or account notices — localized into several languages to seem extra legitimate. Security researchers have tracked infections in many countries.
What’s going on
Attackers hijack real WhatsApp accounts and send out heavily obfuscated VBS attachments that mimic routine workplace files. If you open one on a Windows machine, that little script will pull down more code, make system changes (including tweaking the Registry to weaken UAC protections), and unzip a package that silently installs remote management software.
The installed tool is configured to talk to attacker-controlled servers, effectively giving the bad actors remote admin access to your PC. The trick is nastier on desktop: files opened in the WhatsApp Desktop client can be executed directly using Windows Script Host (wscript.exe), whereas WhatsApp Web generally requires you to download the file first.
Telemetry from security researchers shows the campaign spreading across multiple countries. Investigators noticed signs like Chinese language artefacts and overlaps with infrastructure used in prior RAT activity, but there isn’t enough evidence to finger a single actor with confidence.
How the scam plays out and how to dodge it
In plain English: a contact you know (but whose account was compromised) sends a file. You open it. The first script fetches more scripts, disables safeguards, and installs remote management software — handing strangers control. The key players here are VBScript delivery and ManageEngine-style remote access being abused.
- Don’t open unexpected attachments — even from friends. If a file arrives out of the blue, confirm with the sender via a different channel before touching it.
- Scan any downloaded file with up-to-date antivirus before running anything.
- Sign out of WhatsApp Web sessions you don’t recognize and enable two-step verification on your WhatsApp account.
- Keep Windows and security tools patched. Old systems make life easier for attackers.
- If you suspect infection: disconnect from the network, run a full AV/endpoint scan, and seek IT help. Look for unexpected remote management services and uninstall suspicious software or restore from a clean backup if needed.
- Train teams and family to treat even familiar senders with suspicion when messages contain attachments they wouldn’t normally send.
Short version: treat files like suspicious packages — don’t rip open the tape just because your neighbor sent it. Verify first, scan everything, and keep your systems locked down.