Cybersecurity firm Kaspersky has uncovered a significant new crimeware operation that spreads malicious files through the popular messaging service WhatsApp. Researchers from the company’s Global Research and Analysis Team (GReAT) detailed the research findings in a recent update shared on June 22, 2026. The campaign relies on a classic social-engineering tactic.
Attackers first compromise legitimate WhatsApp accounts and then use those accounts to send direct messages containing harmful attachments to the victims’ existing contacts.
Because the messages appear to come from known individuals, recipients are far more likely to open the files.
The operation specifically targets users of WhatsApp Desktop and WhatsApp Web.
The malicious attachments are VBScript files with the .vbs extension.
These files carry names that mimic ordinary business documents, such as invoices, bank statements, account summaries, payment records, or debt notices.
The file names are localized into multiple languages—including English, Portuguese, French, German, and Malay—to appeal to users across different regions.
Once opened, the script initiates a multi-stage infection process. It first creates a working directory at C:\Users\Public\Documents\. It then uses the Windows Script Host to retrieve and execute additional scripts hosted on infrastructure controlled by the attackers.
These follow-up scripts perform further system modifications and download a compressed archive containing an installation package for remote monitoring and management (RMM) software.
RMM tools are legitimate applications commonly used by IT professionals for remote support and system administration.
In this case, the attackers abuse the software’s built-in capabilities to gain full remote administrative access to the infected computer.
The initial VBScript files contain extensive comments and metadata deliberately crafted to resemble those found in genuine Microsoft Windows Update components, helping the malware blend in with normal system activity.
Detections linked to the campaign have been observed in several countries. Malaysia recorded the highest number of victims, while other affected locations include Brazil, Singapore, Taiwan, and Vietnam.
The use of localized file names suggests the operators are also actively targeting users across Europe and other regions.
This type of attack poses serious risks because successful installation of the RMM package gives threat actors persistent remote control over the victim’s machine.
Such access can be used for data theft, further malware deployment, or other malicious activities without the user’s knowledge.
Kaspersky experts recommend several practical steps to reduce exposure.
Users should treat any unexpected attachments received via WhatsApp with caution—even when they appear to come from familiar contacts.
Script and executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 should not be opened unless their legitimacy can be independently confirmed.
Installing a robust security solution on computers and mobile devices provides an additional layer of protection by detecting and blocking suspicious behavior.
The campaign now highlights just how attackers continue to exploit trusted communication channels and legitimate administrative tools to bypass traditional defenses. As messaging apps remain central to both personal and professional interactions, vigilance against unexpected files remains one of the most effective safeguards.