Don’t open that WhatsApp message, Microsoft warns
Summary
Microsoft has flagged an ongoing multi-stage campaign that begins with malicious WhatsApp messages delivering Visual Basic Script (VBS) files. Once a recipient runs the script, it drops renamed, legitimate Windows utilities into hidden folders and uses them to fetch additional payloads from trusted cloud services. The malware then alters UAC behaviour and deploys unsigned MSI installers (examples: Setup.msi, WinRAR.msi, LinkPoint.msi, AnyDesk.msi) to give attackers remote access, data theft capability, and the option to deploy further malware such as ransomware.
Key Points
- The attack starts with a WhatsApp message containing a VBS file; social engineering and possibly compromised sessions are used to get victims to run it.
- The initial script drops legitimate Windows binaries renamed (eg. curl.exe as netapi.dll), but their PE metadata still shows the original filenames — a detection opportunity.
- Secondary VBS payloads are downloaded from reputable cloud services (AWS, Tencent Cloud, Backblaze B2), helping the campaign blend with normal traffic.
- The malware repeatedly tries to bypass User Account Control to gain persistence and elevated privileges.
- Attackers deploy unsigned MSI installers (including ones named after legitimate tools like AnyDesk) to establish remote access and enable data theft or further compromise.
- Microsoft recommends using Defender and other protections, and stresses user training to spot suspicious attachments on messaging platforms.
Context and Relevance
This campaign demonstrates two persistent trends: attackers ‘living off the land’ by abusing legitimate system utilities, and using trusted cloud platforms to host malicious payloads so activity looks benign. The retained OriginalFileName metadata is an important detection signal defenders can exploit. The vector (WhatsApp) highlights that consumer messaging platforms remain a viable and effective entry point for enterprise compromise when sessions are compromised or social engineering succeeds.
Author style
Punchy: This is a serious, practical alert. If you run endpoints or manage staff, take note — the technical details on renamed binaries and unsigned MSIs matter for detection and response. Read the full guidance if you’re responsible for defences; otherwise, circulate the key do’s and don’ts to users.
Why should I read this
Short version: it’s sneaky and it works. Attackers are using familiar tools and trusted cloud storage to hide in plain sight, so one careless click on WhatsApp can give them persistent remote access. Read this to avoid an expensive cleanup and to know the quick wins for spotting this trick.