Breaking
Live threat feed July 2, 2026 | 13:45 UTC
408 CVEs This Month
1 Actively Exploited
0 Ransomware Activity
28 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

WhatsApp VBScript Campaign Distributes Malicious Files to Install ManageEngine RMM Software

WhatsApp VBScript Campaign Distributes Malicious Files to Install ManageEngine RMM Software

An active campaign has been using direct WhatsApp messages to spread malicious VBScript files that install ManageEngine Remote Monitoring and Management (RMM) software. The campaign targets users of WhatsApp Desktop and WhatsApp Web in multiple countries including Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia.

What happened

Security researchers at Kaspersky have identified a campaign that leverages WhatsApp direct messages to deliver malicious Visual Basic Script (VBScript) files. These files are disguised as documents and, once executed, lead to the installation of ManageEngine RMM software on the victim's device. The campaign specifically targets users operating WhatsApp Desktop and WhatsApp Web across various geographies. The use of legitimate ManageEngine software in the attack chain may allow the threat actors to mask their activities under the guise of trusted applications.

Why it matters

This campaign highlights the evolving tactics of attackers who exploit popular communication platforms like WhatsApp to deliver malware. By using legitimate remote management software, threat actors can gain capabilities typical of managed service providers, potentially facilitating unauthorized access and prolonged control over compromised systems. Organizations and individuals using WhatsApp Desktop or Web clients in the affected countries should be aware of this threat vector given the widespread use of these platforms.

What security teams should do

Security teams should monitor for suspicious VBScript files received via WhatsApp and educate users about the risks of opening unsolicited attachments or links, even from familiar contacts. Reviewing endpoint protection logs for unusual installation or execution of ManageEngine RMM software is prudent. Ensuring that legitimate ManageEngine deployments adhere to security best practices can help mitigate abuse. Users should also verify the authenticity of received documents and refrain from executing untrusted scripts.

Key technical details

The campaign utilizes WhatsApp direct messages to deliver Visual Basic Script files that appear as documents. When a user executes the malicious VBScript, it initiates the installation of ManageEngine Remote Monitoring and Management software. Details about the initial infection vector beyond WhatsApp message delivery or any post-installation actions by the threat actors have not been disclosed. The use of ManageEngine RMM highlights the attackers' approach to leveraging legitimate management tools for malicious objectives.

Affected organizations/products

The campaign targets users of WhatsApp Desktop and WhatsApp Web in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia.

Source attribution

https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!