Overview
- Microsoft detailed an ongoing campaign active since late February 2026 that sends malicious VBS files through WhatsApp to start a multi‑stage infection on Windows PCs.
- Once a victim runs the attachment, the script hides files in C:\ProgramData and drops renamed system utilities, including curl.exe as netapi.dll and bitsadmin.exe as sc.exe.
- Defenders can flag these masquerades by checking for a mismatch between a file’s current name and its embedded OriginalFileName metadata.
- Using those planted tools, the malware downloads follow‑on scripts from AWS, Tencent Cloud, and Backblaze B2 so the traffic looks like routine access to trusted services.
- The chain then pushes for administrator rights by repeatedly invoking UAC prompts, writes persistence to the registry, and finishes with unsigned MSI installers such as AnyDesk that give attackers ongoing remote access and a path to steal data or add more malware.