WhatsApp malware campaign delivers VBScript and MSI backdoors

216.73.216.36

WhatsApp malware campaign delivers VBScript and MSI backdoors

· Published 31/03/2026 18:35 · Modified 31/03/2026 18:49

Essential information

Published: 31/03/2026 18:35
Modified: 31/03/2026 18:49
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: cloud-based msi multi-stage remote-access social-engineering uac-bypass vbs whatsapp
Tags: 2026-03-31 cloud-based msi multi-stage remote access social engineering uac bypass vbs whatsapp
Related entities: 16 indicators, 16 observables, 12 techniques (mitre)

Description

A sophisticated malware campaign targeting WhatsApp users has been observed since February 2026. The attack chain begins with malicious Visual Basic Script files sent via WhatsApp messages, which, when executed, initiate a multi-stage infection process. The malware uses renamed Windows utilities, retrieves payloads from trusted cloud services, and installs malicious MSI packages. The campaign employs social engineering, stealth techniques, and cloud-based payload hosting to establish persistence and escalate privileges on victim systems. The attackers utilize legitimate tools and trusted platforms to reduce visibility and increase the likelihood of successful execution. The final stage involves the delivery of unsigned MSI installers that enable remote access to compromised systems.