WhatsApp VBScript Campaign Distributes Malicious Files to Install ManageEngine RMM Software

An active campaign has been using direct WhatsApp messages to spread malicious VBScript files that install ManageEngine Remote Monitoring and Management (RMM) software. The campaign targets users of WhatsApp Desktop and WhatsApp Web in multiple countries including Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia.
What happened
Security researchers at Kaspersky have identified a campaign that leverages WhatsApp direct messages to deliver malicious Visual Basic Script (VBScript) files. These files are disguised as documents and, once executed, lead to the installation of ManageEngine RMM software on the victim's device. The campaign specifically targets users operating WhatsApp Desktop and WhatsApp Web across various geographies. The use of legitimate ManageEngine software in the attack chain may allow the threat actors to mask their activities under the guise of trusted applications.
Why it matters
This campaign highlights the evolving tactics of attackers who exploit popular communication platforms like WhatsApp to deliver malware. By using legitimate remote management software, threat actors can gain capabilities typical of managed service providers, potentially facilitating unauthorized access and prolonged control over compromised systems. Organizations and individuals using WhatsApp Desktop or Web clients in the affected countries should be aware of this threat vector given the widespread use of these platforms.
What security teams should do
Security teams should monitor for suspicious VBScript files received via WhatsApp and educate users about the risks of opening unsolicited attachments or links, even from familiar contacts. Reviewing endpoint protection logs for unusual installation or execution of ManageEngine RMM software is prudent. Ensuring that legitimate ManageEngine deployments adhere to security best practices can help mitigate abuse. Users should also verify the authenticity of received documents and refrain from executing untrusted scripts.
Key technical details
The campaign utilizes WhatsApp direct messages to deliver Visual Basic Script files that appear as documents. When a user executes the malicious VBScript, it initiates the installation of ManageEngine Remote Monitoring and Management software. Details about the initial infection vector beyond WhatsApp message delivery or any post-installation actions by the threat actors have not been disclosed. The use of ManageEngine RMM highlights the attackers' approach to leveraging legitimate management tools for malicious objectives.
Affected organizations/products
The campaign targets users of WhatsApp Desktop and WhatsApp Web in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia.
Source attribution
https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html