Overview
- The campaign spreads via ZIP attachments that hide a Windows .LNK shortcut which runs a PowerShell script to download and install the payload.
- When WhatsApp Web is active on a Windows desktop, the malware automatically resends the infected file to the user’s contacts and groups, accelerating distribution.
- Post-infection behavior includes persistence via the system startup folder and communication with a command‑and‑control server.
- Trend Micro has not confirmed data theft or file encryption in this wave, though multiple reports warn the technique could capture banking credentials through fake overlay windows.
- Security guidance urges users to avoid unexpected ZIPs, disable automatic downloads, keep operating systems and antivirus updated, and apply corporate controls on file transfers.