Targeting WhatsApp Desktop and WhatsApp Web users, the crimeware campaign distributes malicious VBScript files via direct messages on the platform. Victims have been identified across multiple countries and territories, including Malaysia, Brazil, Singapore, Taiwan and Vietnam, with the highest number of observed victims located in Malaysia. The use of multiple languages in file names also points to broad regional targeting, especially across Europe.
The campaign was revealed in June 2026 by Kaspersky Global Research and Analysis Team (GReAT). According to their research, the crimeware actor uses WhatsApp accounts that have been previously compromised to distribute malicious attachments. The messages are sent from those accounts’ existing contacts, which increases the likelihood that recipients will view the files. Once installed, the malware enables remote access to the system through standard administrative capabilities intended for legitimate IT support and management use.
The social engineering component relies on file names designed to resemble routine business documents. Observed examples include invoices, bank statements, account statements, payment records and debt notices. File names are also localised into multiple languages, including Malay, English, Portuguese, French and German, indicating distribution across different language regions. In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components.
Examples of WhatsApp messages containing the malicious VBScript file.Source: alleged victim posts on social media
“In this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localised across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure,” says Fareed Radzi, security researcher at Kaspersky GReAT.
The execution flow of the attachment follows a multi-stage process on the affected system. Once opened, the file triggers a scripted sequence on the device. The initial script creates a working directory under C:\Users\Public\Documents\, then retrieves additional script files from external infrastructure and executes them using Windows Script Host. These follow-up scripts perform additional system actions and download a compressed archive from the same infrastructure. The archive contains an installation package for remote monitoring and management software.
The full report is available on Securelist.com.
Kaspersky GReAT experts recommend users to:
- Be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts, as they may be able to execute malware.
- Do not open script and executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 unless their legitimacy has been independently verified.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
As part of the initiative, Kaspersky is offering up to 23% off Kaspersky Premium subscriptions. The promotion provides users with access to advanced cybersecurity protection designed to safeguard devices, personal data, and online activities against evolving and sophisticated threats across multiple platforms.