Cybersecurity researchers at **Kaspersky** have uncovered an active campaign exploiting **WhatsApp** to deliver malicious **VBScript** files. These scripts masquerade as legitimate business and financial documents, leading to the installation of genuine Remote Monitoring and Management (RMM) software, thereby compromising user systems. ### Global Reach, Local Impact The campaign spans numerous countries, including Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia has reported the highest concentration of victims, indicating a targeted or highly effective localized approach. According to security researcher **Fareed Radzi**, "The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment." Once executed, a multi-stage infection chain culminates in the installation of legitimate RMM software, granting remote access to the victim's system. ### The Modus Operandi Attackers are suspected of gaining surreptitious access to several **WhatsApp** accounts, then using them as a distribution vector for the **VBScript** files among their contacts. The exact method of initial account compromise remains unclear. These heavily obfuscated **VBScript** files are disguised as innocent-looking documents, often with names like "Financial Reports.vbs" or "Account Statement.vbs." The use of multiple languages, including Portuguese, French, German, and Malay, reflects the global nature of this threat. **Kaspersky** notes that the **VBScript** samples contain extensive comments and metadata designed to mimic legitimate **Microsoft Windows Update** components. Many of these comments are in Chinese and reference **Windows Update** modules, certificate validation, system integrity checks, and deployment functionalities, adding a layer of deception. ### Infection Chain Details The **VBScript** file is launched via `WScript.exe`, which then fetches and executes additional **VBScript** components. The infection chain exhibits slight variations depending on whether the victim uses **WhatsApp Web** or the **WhatsApp Desktop** application.  For **WhatsApp Web** users, the attack relies on the user downloading and manually opening the file from their system. In contrast, for **WhatsApp Desktop**, the malware executes directly within the application, with `WhatsApp.Root.exe` (the background process) spawning `WScript.exe`. The primary goal of the **VBScript** is to download two secondary **VBScript** payloads from a remote server. One payload attempts to tamper with **Windows User Account Control (UAC)** behavior, while the other downloads and executes a ZIP file containing the installation package for **ManageEngine RMM Central**. ### Attribution and Mitigation The activity remains unattributed, although **Kaspersky** found infrastructure overlaps (specifically IP address `202.61.160[.]201`) with previous campaigns linked to **Gh0st RAT** and **ValleyRAT**. Users are strongly advised to exercise extreme caution when receiving unexpected attachments via **WhatsApp**, even if they appear to come from known contacts. **Kaspersky** emphasizes that script and executable file types such as `.VBS`, `.VBE`, `.EXE`, `.BAT`, `.CMD`, `.JS`, and `.PS1` should not be opened unless their legitimacy has been independently verified.