WhatsApp VBS Campaign Installs ManageEngine RMM for Remote Access

by Nam Phong · Published June 24, 2026 · Updated June 24, 2026

WhatsApp VBS attack spreading malicious VBScript attachments that install ManageEngine Endpoint Central RMM on Windows

WhatsApp messages containing the malicious VBScript file observed across multiple accounts

Trust in a familiar sender keeps turning into a weak point. A new campaign against WhatsApp users builds on exactly that bet. The attackers send malicious files from already-hijacked accounts. They disguise the attachments as business and financial documents.

Who Is Being Targeted

According to Kaspersky, the attacks reached users in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Malaysia accounts for most of the victims. The messages arrive from the victim’s real contacts and carry a heavily obfuscated VBS file. The file names match the recipient’s language. They pose as reports, invoices, account notices, or other work documents.

How the Infection Chain Works

The attack only works if the user runs the attachment on Windows. Once launched, the script reaches the attackers’ infrastructure and pulls down two more scripts. The next stage changes registry settings and disables UAC protection. Then it downloads a ZIP archive with ManageEngine Endpoint Central.

That tool is legitimate. Normally, it helps administrators manage computers from a single panel. In this campaign, however, the program quietly connects the infected PC to the attackers’ servers. The whole chain avoids an obviously malicious binary. You can read Kaspersky’s full technical analysis for the stage-by-stage breakdown.

Web Client vs. Desktop App

Kaspersky notes a key difference between the two WhatsApp versions. With WhatsApp Web, the user must download the attachment first. On the desktop client, the file can run directly through Windows Script Host. So the desktop app shortens the path to execution.

Attribution Stays Uncertain

The exact method for hijacking the WhatsApp accounts is still unknown. Researchers found traces of Chinese in the script comments. They also saw infrastructure overlap with an address tied to past ValleyRAT and Gh0st RAT activity. However, the evidence is too thin for confident attribution. Kaspersky assesses only with low confidence that the operator is Chinese-speaking.

How to Stay Safe

A simple check goes a long way here. Verify any attachment through another channel, even when it comes from a known contact. Scan downloaded documents with an up-to-date antivirus before you open them. Better still, do not open suspicious VBS files at all. As a rule, script files like VBS, VBE, EXE, BAT, CMD, JS, and PS1 do not belong in a chat app.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal