216.73.217.50

An unknown actor distributes malicious VBS scripts via WhatsApp

· Published 22/06/2026 13:01

Export JSON

Essential information

Published
22/06/2026 13:01
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
chinese-speaking operator gh0st rat manageengine endpoint central multi-stage infection rmm abuse social engineering uac bypass valleyrat vbscript whatsapp
Related entities
12 indicators, 9 observables, 19 techniques (mitre), 3 malware

Description

An active malware campaign has been discovered distributing malicious files through direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise accounts and send weaponized VBS files disguised as business and financial documents to contacts. The chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with and operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting techniques with localized filenames in multiple languages.

External references