Microsoft has identified a sophisticated cyberattack campaign that leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files, specifically targeting Windows systems through a complex multi-stage infection chain.
Details of the Attack
First detected in late February 2026, this campaign employs social engineering tactics to deceive users into executing the harmful VBS files. Upon activation, the malware initiates a series of covert operations, creating hidden directories within system paths. It cleverly disguises itself by deploying renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe, allowing it to integrate seamlessly into standard system functions.
The attack unfolds further as it downloads additional payloads from reputable cloud platforms, including AWS, Tencent Cloud, and Backblaze B2. These payloads are instrumental in establishing persistence within the infected system and gradually escalating privileges.
Bypassing Security Measures
A notable feature of this campaign is its capability to circumvent User Account Control (UAC). The malware persistently attempts to execute commands with elevated privileges, alters registry settings, and diminishes system defenses to maintain its foothold. Ultimately, it installs malicious MSI packages, which may include legitimate remote access tools like AnyDesk, thereby granting attackers continuous access.
This campaign exemplifies a troubling trend in cyberattacks, where the combination of trusted tools, cloud infrastructure, and stealthy techniques significantly enhances the likelihood of evading detection. It underscores the evolving strategies employed by attackers, who are increasingly exploiting everyday communication platforms and legitimate system utilities to compromise endpoints.
