340/69 Wednesday, June 24, 2026
Reports have emerged of a cyberattack campaign targeting WhatsApp users in multiple countries around the world, including countries in Asia. Threat actors are sending deceptive messages with malicious VBScript attachments through compromised WhatsApp accounts. The attack abuses the trust associated with people in the victim’s contact list to trick users into downloading files disguised as business documents or invoices. If the victim opens the file on a Windows system, it can trigger the stealthy installation of malicious software and allow threat actors to remotely control the compromised computer.
Analysis of the attack pattern found that threat actors send files with .vbs or .vbe extensions using names that match local languages and financial contexts, such as Reconciliation.vbs, Acknowledgment of Debt.vbs, or Customer Statement(A).vbe. When the user runs the file, the script executes through Windows Script Host and downloads additional scripts to modify the Registry by setting ConsentPromptBehaviorAdmin to 0 in order to bypass Windows UAC security prompts. It then downloads a ZIP file containing ManageEngine Endpoint Central components, such as UEMSAgent.msi and setup1.vbs. The script secretly installs the software and configures the system to connect to the threat actors’ server, allowing the attackers to obtain administrator privileges and control the victim’s machine. Initial findings show links between the infrastructure and certain threat groups, but evidence is still being collected for confirmation.
To reduce the risk and prevent users from falling victim, users should exercise greater caution when downloading or opening files sent through messaging applications, even if the files appear to come from known contacts. If a file transfer seems unusual, users should verify the sender’s identity and intent through another communication channel. Users should also avoid opening files with script-related extensions directly and should scan downloaded files with antivirus software that has up-to-date detection databases. For organizational administrators, abnormal software installation activity should be monitored closely, especially the installation of unauthorized remote management tools, in order to prevent potential damage to internal networks.