Overview
- Compromised WhatsApp accounts are sending only heavily obfuscated .vbs attachments to contacts so recipients are more likely to trust and open the files.
- The infection runs as a three-stage VBScript chain that creates a hidden working folder, downloads two additional scripts, disables Windows UAC through repeated registry changes, and retrieves a ZIP payload.
- Kaspersky's June 22 analysis showed the ZIP contains a preconfigured ManageEngine Endpoint Central installer that runs silently and links the victim machine to attacker-controlled management servers.
- Researchers found simplified Chinese comments in the scripts and an IP address (202.61.160.201) tied to past ValleyRAT/Gh0st RAT activity but said the evidence is insufficient for high-confidence attribution.
- Security teams should block script and executable filetypes in messaging clients, verify unexpected attachments via a second channel, scan downloads with updated antivirus, monitor for unknown RMM agents and unusual outbound connections, and isolate endpoints suspected of compromise.