Microsoft warns hackers are using WhatsApp messages to deliver VBS malware that hijacks Windows PCs via MSI backdoors.
Microsoft has warned of a new malware campaign in which attackers use WhatsApp messages to distribute malicious files capable of compromising Windows computers.
Security researchers said the campaign began in late February 2026 and relies on social-engineering tactics to trick users into opening a harmful attachment delivered through the messaging platform. The malicious file is typically a Visual Basic Script (VBS) that initiates a multi-stage infection chain once executed.
After the script is launched, it copies legitimate Windows utilities and disguises them under misleading names. These tools are then used to download additional malicious components from cloud services, helping the attackers blend malicious activity with normal network traffic.
The malware also attempts to bypass User Account Control (UAC) protections by manipulating system registry settings and repeatedly trying to launch processes with elevated privileges. If successful, the attackers can gain persistent access to the infected system.
In the final stage of the attack, the malware deploys unsigned MSI installer packages, which may include legitimate remote-access software such as AnyDesk. This allows the threat actors to maintain long-term remote control of the victim’s computer, potentially enabling data theft or further malware deployment.
Microsoft noted that the campaign does not exploit a flaw in WhatsApp itself. Instead, it relies on users being convinced to run the malicious attachment, highlighting how social-engineering tactics remain a major entry point for cyberattacks.
Security experts advise users to avoid opening unexpected attachments sent through messaging apps and to verify files before executing them, especially when they contain script or installer extensions.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
