{"id":3784,"date":"2026-06-22T10:04:26","date_gmt":"2026-06-22T10:04:26","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/"},"modified":"2026-06-22T10:04:26","modified_gmt":"2026-06-22T10:04:26","slug":"a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/","title":{"rendered":"A VBScript campaign distributed through WhatsApp deploying RMM software"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active.<\/p>\n<p>Analysis shows that the campaign primarily targets users of WhatsApp Desktop and WhatsApp Web. The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment. Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim\u2019s system.<\/p>\n<div id=\"attachment_120296\" style=\"width: 1593px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1.jpeg\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-120296\" class=\"size-full wp-image-120296\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1.jpeg\" alt=\"Overview of the WhatsApp-based VBScript infection chain\" width=\"1583\" height=\"832\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1.jpeg 1583w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-300x158.jpeg 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-1024x538.jpeg 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-768x404.jpeg 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-1536x807.jpeg 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-666x350.jpeg 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-740x389.jpeg 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-533x280.jpeg 533w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144200\/whatsapp-vbs1-800x420.jpeg 800w\" sizes=\"(max-width: 1583px) 100vw, 1583px\"><\/a><\/p>\n<p id=\"caption-attachment-120296\" class=\"wp-caption-text\">Overview of the WhatsApp-based VBScript infection chain<\/p>\n<\/div>\n<p>We came across a number of social media posts reporting that the malware was being distributed by the users\u2019 contacts. The messages contained only the malicious attachment and did not include any accompanying text. One account sent the same attachment to multiple contacts from their list.<\/p>\n<div id=\"attachment_120297\" style=\"width: 2056px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120297\" class=\"size-full wp-image-120297\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2.png\" alt=\"WhatsApp messages containing the malicious VBScript file observed across multiple accounts. Source: alleged victim posts on social media\" width=\"2046\" height=\"996\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2.png 2046w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-300x146.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-1024x498.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-768x374.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-1536x748.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-719x350.png 719w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-740x360.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-575x280.png 575w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144248\/whatsapp-vbs2-800x389.png 800w\" sizes=\"auto, (max-width: 2046px) 100vw, 2046px\"><\/a><\/p>\n<p id=\"caption-attachment-120297\" class=\"wp-caption-text\">WhatsApp messages containing the malicious VBScript file observed across multiple accounts. Source: alleged victim posts on social media<\/p>\n<\/div>\n<p>Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users\u2019 contact lists. At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.<\/p>\n<h2 id=\"social-engineering-through-financial-themed-file-names\">Social engineering through financial-themed file names<\/h2>\n<p>Analysis of the samples revealed that the threat actor relied heavily on social engineering through the use of deceptive file names designed to appear as legitimate business and financial documents. The file names frequently referenced invoices, account statements, debt notices, payment records, and bank statements.<br \/>\nExamples of file names include:<\/p>\n<ul>\n<li>Financial Reports.vbs<\/li>\n<li>Debt confirmation.vbs<\/li>\n<li>Statement of Debt(30K).vbs<\/li>\n<li>Outstanding Payment List.vbs<\/li>\n<li>Account Statement.vbs<\/li>\n<li>Debt Statement.vbs<\/li>\n<li>Billing Statement (2).vbs<\/li>\n<li>Promissory_Note(b).vbs<\/li>\n<\/ul>\n<p>Several file names were also localized into different languages, including Portuguese, French, German, and Malay. Examples include:<\/p>\n<ul>\n<li>Extrato de Concilia\u00e7\u00e3o.vbs<\/li>\n<li>Aviso de d\u00edvida.vbs<\/li>\n<li>Le formulaire de demande le plus r\u00e9cent.vbs<\/li>\n<li>Bitte f\u00fcllen Sie das Formular f\u00fcr Umsatzsteuer-Nullsatz-Verk\u00e4ufe aus.vbs<\/li>\n<li>Penyata bank.vbs<\/li>\n<li>Sila semak bil anda.vbs<\/li>\n<\/ul>\n<p>The use of multiple languages further suggests that the campaign may be targeting victims across different geographic regions.<\/p>\n<p>In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components. Many of these comments are written in Chinese and include references to Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality. The screenshot below shows an example of the Windows Update\u2013themed comments and Chinese-language annotations embedded within one of the analyzed scripts.<\/p>\n<div id=\"attachment_120298\" style=\"width: 2056px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120298\" class=\"size-full wp-image-120298\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3.png\" alt=\"Windows Update\u2013themed and Chinese-language comments observed across multiple Stage 1 VBScript variants\" width=\"2046\" height=\"813\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3.png 2046w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-300x119.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-1024x407.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-768x305.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-1536x610.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-881x350.png 881w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-740x294.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-705x280.png 705w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144353\/whatsapp-vbs3-800x318.png 800w\" sizes=\"auto, (max-width: 2046px) 100vw, 2046px\"><\/a><\/p>\n<p id=\"caption-attachment-120298\" class=\"wp-caption-text\">Windows Update\u2013themed and Chinese-language comments observed across multiple Stage 1 VBScript variants<\/p>\n<\/div>\n<h3 id=\"delivery-of-the-initial-vbscript-file\">Delivery of the initial VBScript file<\/h3>\n<p>Analysis of telemetry collected from the systems where the malware was executed, conducted together with the dynamic analysis of the sample, showed that the VBScript is launched through Windows Script Host (WScript.exe), which subsequently retrieves and executes additional VBScript components required for the later stages of the attack.<\/p>\n<p>Two user interactions are needed to initiate the infection chain. When the user first clicks the attachment in either WhatsApp Desktop or WhatsApp web, it is downloaded to their machine. To launch the app, they need to open it.<\/p>\n<p>In WhatsApp Desktop, the malware is executed directly within the application by clicking once more the file icon or by choosing the option \u201cOpen\u201d in the chat. The process tree analysis shows that WScript.exe is spawned by WhatsApp.Root.exe. The executed script was observed within WhatsApp Desktop\u2019s attachment storage directory, with the following command line:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">\"C:WindowsSystem32WScript.exe\" \"C:Users&lt;username&gt;AppDataLocalPackages5319275A.WhatsAppDesktop_cv1g1gvanyjgmLocalStateSessions&lt;session_identifier&gt;Transfers&lt;YYYY-MM&gt;financial reports(s).vbs\"<\/pre>\n<p>This process relationship confirms that the malicious VBScript was executed directly from the WhatsApp Desktop client.<\/p>\n<p>In contrast, when the attachment is accessed through WhatsApp Web, to launch the malware, the user should open the downloaded file from the Downloads folder or through the browser\u2019s download history. In the first case, the malware\u2019s parent process will be explorer.exe, while in the second, it will be executed by the browser where the web app was opened.<\/p>\n<h2 id=\"technical-analysis\">Technical analysis<\/h2>\n<h3 id=\"stage-1-initial-vbscript-execution\">Stage 1: Initial VBScript execution<\/h3>\n<p>The first stage of the infection chain is a VBS or VBE file delivered through WhatsApp. Although multiple variants of the scripts were observed, their core functionality remains consistent: the script creates a working directory under <code>C:UsersPublicDocuments<\/code>, downloads two additional VBScript payloads from a remote infrastructure, and executes them using Windows Script Host.<\/p>\n<p>Across the observed variants, the working directory is created using randomized names such as <code>Temp_&lt;random&gt;<\/code> or <code>MSUpdate_&lt;random&gt;<\/code>. Some variants also configure the directory and downloaded files with hidden and system attributes, likely to reduce visibility to the user during execution.<\/p>\n<div id=\"attachment_120299\" style=\"width: 1015px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120299\" class=\"size-full wp-image-120299\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4.png\" alt=\"Example of the code generating a random working directory and configuring it with hidden and system attributes\" width=\"1005\" height=\"269\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4.png 1005w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4-300x80.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4-768x206.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4-740x198.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144634\/whatsapp-vbs4-800x214.png 800w\" sizes=\"auto, (max-width: 1005px) 100vw, 1005px\"><\/a><\/p>\n<p id=\"caption-attachment-120299\" class=\"wp-caption-text\">Example of the code generating a random working directory and configuring it with hidden and system attributes<\/p>\n<\/div>\n<p>The scripts employ several obfuscation techniques, including string concatenation, encoded VBScript, randomized variable names, and large amounts of junk content. One notable variant employs even heavier obfuscation than the other samples. The script reconstructs object names, file paths, utilities, and URLs through character-by-character string concatenation.<\/p>\n<div id=\"attachment_120300\" style=\"width: 1905px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120300\" class=\"size-full wp-image-120300\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5.png\" alt=\"Example of an obfuscated Stage 1 VBScript variant.\" width=\"1895\" height=\"710\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5.png 1895w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-300x112.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-1024x384.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-768x288.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-1536x575.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-934x350.png 934w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-740x277.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-747x280.png 747w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144720\/whatsapp-vbs5-800x300.png 800w\" sizes=\"auto, (max-width: 1895px) 100vw, 1895px\"><\/a><\/p>\n<p id=\"caption-attachment-120300\" class=\"wp-caption-text\">Example of an obfuscated Stage 1 VBScript variant.<\/p>\n<\/div>\n<p>Several variants copy curl.exe and bitsadmin.exe into the working directory and rename them using DLL-like filenames before downloading additional VBS files.<\/p>\n<div id=\"attachment_120301\" style=\"width: 1743px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120301\" class=\"size-full wp-image-120301\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6.png\" alt=\"Example of the Stage 1 downloader logic using renamed Windows utilities and multiple download mechanisms to retrieve additional VBS files\" width=\"1733\" height=\"829\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6.png 1733w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-300x144.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-1024x490.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-768x367.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-1536x735.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-732x350.png 732w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-740x354.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-585x280.png 585w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21144805\/whatsapp-vbs6-800x383.png 800w\" sizes=\"auto, (max-width: 1733px) 100vw, 1733px\"><\/a><\/p>\n<p id=\"caption-attachment-120301\" class=\"wp-caption-text\">Example of the Stage 1 downloader logic using renamed Windows utilities and multiple download mechanisms to retrieve additional VBS files<\/p>\n<\/div>\n<p>The downloaded files are commonly staged using misleading file extensions before execution. For example, some variants download files using PDF or TXT extensions and then change them to VBS before launching them with wscript.exe. Other variants download the secondary VBScript payloads directly.<\/p>\n<p>Despite differences in infrastructure, file names, and obfuscation methods, all observed variants ultimately perform the same function: downloading and executing two secondary VBScript payloads that continue the infection chain.<\/p>\n<h2 id=\"stage-2-execution-of-secondary-vbscript-payloads\">Stage 2: Execution of secondary VBScript payloads<\/h2>\n<p>Following execution, the Stage 1 VBScript downloads and launches two additional VBScript files from attacker-controlled infrastructure. One script attempts to modify Windows User Account Control (UAC) settings, while the other downloads and executes a ZIP archive containing the installation package for a RMM software.<\/p>\n<h3 id=\"vbs-script-1-uac-configuration-modification\">VBS script 1: UAC configuration modification<\/h3>\n<p>First Stage 2 scripts were observed attempting to modify Windows \u00a0\u00a0\u00a0\u00a0\u00a0UAC\u00a0\u00a0\u00a0\u00a0 behavior.<\/p>\n<div id=\"attachment_120302\" style=\"width: 1048px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120302\" class=\"size-full wp-image-120302\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7.png\" alt=\"Stage 2 VBScript repeatedly attempting to modify the ConsentPromptBehaviorAdmin registry value\" width=\"1038\" height=\"866\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7.png 1038w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-300x250.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-1024x854.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-768x641.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-420x350.png 420w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-740x617.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-336x280.png 336w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145010\/whatsapp-vbs7-800x667.png 800w\" sizes=\"auto, (max-width: 1038px) 100vw, 1038px\"><\/a><\/p>\n<p id=\"caption-attachment-120302\" class=\"wp-caption-text\">Stage 2 VBScript repeatedly attempting to modify the ConsentPromptBehaviorAdmin registry value<\/p>\n<\/div>\n<p>As shown in the figure above, the script repeatedly executes an elevated registry modification command targeting the following registry key:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin<\/pre>\n<p>The command is launched using the <code>ShellExecute<\/code> method with the <code>runas<\/code> verb, causing Windows to request administrative privileges before the registry change can be applied. Its goal is to set the <code>ConsentPromptBehaviorAdmin<\/code> registry key value to 0, thus enabling administrative actions without displaying a consent prompt to the user. The script attempts to apply this registry change in a loop with short delays between executions, likely to increase the chances that the setting will be successfully modified if administrative privileges are granted by the victim.<\/p>\n<h3 id=\"vbs-script-2-zip-download-and-script-execution\">VBS script 2: ZIP download and script execution<\/h3>\n<p>The second VBS script downloads a ZIP file, extracts it and executes a script to start the RMM installation.<\/p>\n<p>Similar to the Stage 1 downloader, the Stage 2 downloader creates its own working directory under <code>C:UsersPublicDocuments<\/code>, commonly using randomized folder names such as <code>Sys&lt;random&gt;<\/code>, <code>Data&lt;random&gt;<\/code>, or a random numeric value. In most cases, the hidden attribute is assigned to this folder. The script then downloads a ZIP archive from attacker-controlled infrastructure, extracts its contents, and executes an embedded setup1.vbs script.<\/p>\n<div id=\"attachment_120303\" style=\"width: 886px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120303\" class=\"size-full wp-image-120303\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8.png\" alt=\"Stage 2 downloader creating a hidden working directory under C:UsersPublicDocuments\" width=\"876\" height=\"287\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8.png 876w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8-300x98.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8-768x252.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8-740x242.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8-855x280.png 855w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145341\/whatsapp-vbs8-800x262.png 800w\" sizes=\"auto, (max-width: 876px) 100vw, 876px\"><\/a><\/p>\n<p id=\"caption-attachment-120303\" class=\"wp-caption-text\">Stage 2 downloader creating a hidden working directory under C:UsersPublicDocuments<\/p>\n<\/div>\n<p>Similar to the Stage 1 downloader, the variants leverage multiple download mechanisms, including curl, bitsadmin, certutil, PowerShell, and direct HTTP requests.<\/p>\n<div id=\"attachment_120304\" style=\"width: 1715px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120304\" class=\"size-full wp-image-120304\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9.png\" alt=\"Stage 2 downloader using multiple download mechanisms to retrieve the ZIP archive\" width=\"1705\" height=\"764\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9.png 1705w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-300x134.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-1024x459.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-768x344.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-1536x688.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-781x350.png 781w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-740x332.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-625x280.png 625w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145525\/whatsapp-vbs9-800x358.png 800w\" sizes=\"auto, (max-width: 1705px) 100vw, 1705px\"><\/a><\/p>\n<p id=\"caption-attachment-120304\" class=\"wp-caption-text\">Stage 2 downloader using multiple download mechanisms to retrieve the ZIP archive<\/p>\n<\/div>\n<p>Following a successful download, the archive is extracted using the Shell.Application COM interface. Most variants invoke the CopyHere method with flags intended to suppress user prompts and allow extraction to proceed without user interaction. The extracted setup1.vbs script is then launched through wscript.exe to proceed with the next stage of the infection chain.<\/p>\n<p>Also, one variant additionally attempts to remove <code>Zone.Identifier<\/code> alternate data streams from extracted files prior to execution, likely to reduce security warnings associated with files downloaded from the Internet.<\/p>\n<div id=\"attachment_120305\" style=\"width: 1128px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120305\" class=\"size-full wp-image-120305\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10.png\" alt=\"Example of the code responsible for ZIP extraction, Zone.Identifier removal, and execution of the next-stage VBScript\" width=\"1118\" height=\"729\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10.png 1118w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-300x196.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-1024x668.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-768x501.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-537x350.png 537w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-740x483.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-429x280.png 429w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145733\/whatsapp-vbs10-800x522.png 800w\" sizes=\"auto, (max-width: 1118px) 100vw, 1118px\"><\/a><\/p>\n<p id=\"caption-attachment-120305\" class=\"wp-caption-text\">Example of the code responsible for ZIP extraction, Zone.Identifier removal, and execution of the next-stage VBScript<\/p>\n<\/div>\n<h2 id=\"stage-3-installation-of-remote-monitoring-and-management-software\">Stage 3: Installation of remote monitoring and management software<\/h2>\n<p>Besides the setup1.vbs script, the ZIP archive downloaded during Stage 2 contains a preconfigured ManageEngine Endpoint Central deployment package. Inside the archive are the files required to install and register the Endpoint Central agent, including the MSI installer, configuration files, certificates, and installation scripts.<\/p>\n<div id=\"attachment_120306\" style=\"width: 507px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145822\/whatsapp-vbs11.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120306\" class=\"size-full wp-image-120306\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145822\/whatsapp-vbs11.png\" alt=\"Extracted Stage 3 Endpoint Central installation ZIP package\" width=\"497\" height=\"231\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145822\/whatsapp-vbs11.png 497w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145822\/whatsapp-vbs11-300x139.png 300w\" sizes=\"auto, (max-width: 497px) 100vw, 497px\"><\/a><\/p>\n<p id=\"caption-attachment-120306\" class=\"wp-caption-text\">Extracted Stage 3 Endpoint Central installation ZIP package<\/p>\n<\/div>\n<p>The table below summarizes the purpose of each file contained within the deployment package:<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>File<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>DCAgentServerInfo.json<\/td>\n<td>Endpoint Central server configuration containing management server IP addresses and ports<\/td>\n<\/tr>\n<tr>\n<td>DMRootCA.crt<\/td>\n<td>Trusted root certificate<\/td>\n<\/tr>\n<tr>\n<td>DMRootCA-Server.crt<\/td>\n<td>Server authentication certificate<\/td>\n<\/tr>\n<tr>\n<td>README.html<\/td>\n<td>Endpoint Central agent setup instructions<\/td>\n<\/tr>\n<tr>\n<td>setup.bat<\/td>\n<td>Legitimate Endpoint Central installer wrapper included in the package, not used by the malware chain<\/td>\n<\/tr>\n<tr>\n<td>setup1.vbs<\/td>\n<td>Malicious launcher used by the threat actor to silently install the Endpoint Central agent<\/td>\n<\/tr>\n<tr>\n<td>UEMSAgent.msi<\/td>\n<td>Endpoint Central agent installer package<\/td>\n<\/tr>\n<tr>\n<td>UEMSAgent.mst<\/td>\n<td>Custom installation configuration settings for the MSI package<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>ManageEngine Endpoint Central is a legitimate enterprise management platform commonly used for software deployment, system administration, and remote support. Its remote administration capabilities make it attractive for abuse by threat actors seeking persistent access to compromised systems.<\/p>\n<p>One interesting variant attempted to disguise the package as an income tax\u2013related document. Instead of containing a legitimate tax document, the archive contained a VBScript file named \u201cIncome Tax Return Form.vbs\u201d and accompanied by an instruction file designed to persuade the victim to open it. Analysis showed that the VBScript contained functionality similar to setup1.vbs, ultimately performing the same Endpoint Central installation process.<\/p>\n<div id=\"attachment_120307\" style=\"width: 2055px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120307\" class=\"size-full wp-image-120307\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12.png\" alt=\"Tax document-themed VBScript lure and installation script\" width=\"2045\" height=\"787\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12.png 2045w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-300x115.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-1024x394.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-768x296.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-1536x591.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-909x350.png 909w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-740x285.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-728x280.png 728w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21145949\/whatsapp-vbs12-800x308.png 800w\" sizes=\"auto, (max-width: 2045px) 100vw, 2045px\"><\/a><\/p>\n<p id=\"caption-attachment-120307\" class=\"wp-caption-text\">Tax document-themed VBScript lure and installation script<\/p>\n<\/div>\n<p>As discussed in Stage 2, the downloader ultimately executes a VBScript file named setup1.vbs. The script first verifies that the required installation files are present in the extracted folder and then attempts to relaunch itself with administrative privileges using the Windows runas mechanism before proceeding with the installation.<\/p>\n<div id=\"attachment_120308\" style=\"width: 1447px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120308\" class=\"size-full wp-image-120308\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13.png\" alt=\"The setup1.vbs script verifying installation files and requesting administrative privileges\" width=\"1437\" height=\"544\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13.png 1437w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-300x114.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-1024x388.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-768x291.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-925x350.png 925w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-740x280.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150056\/whatsapp-vbs13-800x303.png 800w\" sizes=\"auto, (max-width: 1437px) 100vw, 1437px\"><\/a><\/p>\n<p id=\"caption-attachment-120308\" class=\"wp-caption-text\">The setup1.vbs script verifying installation files and requesting administrative privileges<\/p>\n<\/div>\n<p>Once elevated, setup1.vbs silently installs the bundled ManageEngine Endpoint Central agent using msiexec.exe, applying the supplied configuration and certificate files. The installation is performed silently, preventing the user from seeing the Endpoint Central installation interface.<\/p>\n<div id=\"attachment_120309\" style=\"width: 1295px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-120309\" class=\"size-full wp-image-120309\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14.png\" alt=\"Endpoint Central agent installation via msiexec.exe\" width=\"1285\" height=\"465\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14.png 1285w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-300x109.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-1024x371.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-768x278.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-967x350.png 967w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-740x268.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-774x280.png 774w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/21150303\/whatsapp-vbs14-800x289.png 800w\" sizes=\"auto, (max-width: 1285px) 100vw, 1285px\"><\/a><\/p>\n<p id=\"caption-attachment-120309\" class=\"wp-caption-text\">Endpoint Central agent installation via msiexec.exe<\/p>\n<\/div>\n<p>Analysis of the embedded DCAgentServerInfo.json configuration file revealed the following Endpoint Central management servers:<\/p>\n<ul>\n<li>61.160[.]208<\/li>\n<li>61.160[.]202<\/li>\n<li>61.160[.]201<\/li>\n<li>61.160[.]160<\/li>\n<li>61.160[.]137<\/li>\n<li>55.151[.]63<\/li>\n<\/ul>\n<p>Notably, 202.61.160[.]201 had previously been observed as command-and-control infrastructure associated with ValleyRAT and <a href=\"https:\/\/securelist.com\/apt-report-q3-2024\/114623\/#southeast-asia-and-korean-peninsula\" target=\"_blank\" rel=\"noopener\">Gh0st RAT<\/a> activity. Although the overlap raises the possibility of the VBS campaign being linked to the operator of these known malware families, the available evidence is insufficient to confidently attribute the campaign to a known threat actor.<\/p>\n<h2 id=\"victimology-and-attribution\">Victimology and attribution<\/h2>\n<p>Based on our telemetry, infections were observed across several countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, and Vietnam, with 80% of the victims located in Malaysia. The campaign primarily relied on malicious VBScript attachments distributed through WhatsApp and appeared to target individual users rather than specific organizations or industries. At the time of the analysis, no evidence suggested a focused targeting strategy, instead indicating a broad, opportunistic campaign aimed at consumers.<\/p>\n<p>We were unable to confidently attribute this activity to a known threat actor or intrusion set. However, several artifacts observed throughout the campaign point to a possible Chinese-speaking threat actor.<\/p>\n<p>Multiple VBScript samples contained comments, module descriptions, and execution notes written in simplified Chinese characters. These comments appeared consistently across different variants, suggesting that the scripts were likely developed or maintained by a Chinese-speaking operator.<\/p>\n<p>We also identified infrastructure overlaps with IP addresses previously associated with ValleyRAT and Gh0st RAT activity. While these overlaps may indicate infrastructure reuse or shared hosting resources, they are not sufficient to establish a direct connection to any known threat actor.<\/p>\n<p>Based on the available evidence, we assess with low confidence that the campaign was conducted by a Chinese-speaking operator. Additional investigation, infrastructure overlaps, or operational indicators would be required to support a stronger attribution assessment.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>This campaign uses compromised WhatsApp accounts to distribute malicious VBScript attachments that ultimately install a preconfigured ManageEngine Endpoint Central agent on victim systems. Observed victims were located across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, and Vietnam, suggesting a broad and opportunistic campaign. Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts. Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.<\/p>\n<h2 id=\"iocs\">IOCs<\/h2>\n<h3 id=\"vbscript\">VBScript<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/c7f38cbb99c8b74fa0465293feeba700\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_d3e0f4fc45ce4f76\" target=\"_blank\" rel=\"noopener\">c7f38cbb99c8b74fa0465293feeba700<\/a> Financial Reports.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b7cd06c71465038b658a6dc1f273a507\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_299da5f15b0fb108\" target=\"_blank\" rel=\"noopener\">b7cd06c71465038b658a6dc1f273a507<\/a> Debt confirmation.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9f13c7b8ba391b2f597874e54d310648\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_ff8b31531e14e5fe\" target=\"_blank\" rel=\"noopener\">9f13c7b8ba391b2f597874e54d310648<\/a> Electronic statement(A).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/993f4c0cadbc769a4b0ed62a918db58d\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2b016a36c55c4a04\" target=\"_blank\" rel=\"noopener\">993f4c0cadbc769a4b0ed62a918db58d<\/a> Financial Reports(s).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7f81c1bc8cfd588e8998968e2621456e\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_76ec3d80d752e8e1\" target=\"_blank\" rel=\"noopener\">7f81c1bc8cfd588e8998968e2621456e<\/a> Outstanding Payment List.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7403cbcc5a9c32384d431856dc48fcc9\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_90022facab8cceb8\" target=\"_blank\" rel=\"noopener\">7403cbcc5a9c32384d431856dc48fcc9<\/a> Statement of debt (4).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/68c16c46f8afb9e00bbaba0207fb0a46\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2218ecfd266cd067\" target=\"_blank\" rel=\"noopener\">68c16c46f8afb9e00bbaba0207fb0a46<\/a> Debt Note (2).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/66442f2457eca8f47385b1fb2c6fcab8\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_49c2605b1c97103b\" target=\"_blank\" rel=\"noopener\">66442f2457eca8f47385b1fb2c6fcab8<\/a> Statement of Debt(30K).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6359e6236471cbe434d0ef4c42b7f879\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_45000d43ea95e59b\" target=\"_blank\" rel=\"noopener\">6359e6236471cbe434d0ef4c42b7f879<\/a> Applicationform1.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5b6bbcc06cf08cc99e1afeda486d42fb\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_8d52e8a0b17f29a0\" target=\"_blank\" rel=\"noopener\">5b6bbcc06cf08cc99e1afeda486d42fb<\/a> Extrato de Concilia\u00e7\u00e3o.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5002eca748205d544618e3bd2dedc223\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_c8a3b7bb7a3c8c3e\" target=\"_blank\" rel=\"noopener\">5002eca748205d544618e3bd2dedc223<\/a> Statement of Debt(29K).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4f0593e8e0e8fac49429e9b45ebf7fa1\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_8b5a25db741cef0e\" target=\"_blank\" rel=\"noopener\">4f0593e8e0e8fac49429e9b45ebf7fa1<\/a> Outstanding Payment List.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4044e4b6471c9de7b0a4ba37d9d9df9a\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_b06782607f0b57a6\" target=\"_blank\" rel=\"noopener\">4044e4b6471c9de7b0a4ba37d9d9df9a<\/a> billing statement (2).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/20209b3a32769afc6a75694b8d8839dd\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_f76be9c2eef72748\" target=\"_blank\" rel=\"noopener\">20209b3a32769afc6a75694b8d8839dd<\/a> Statement of Debt(A).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0ba93109757776a44de9d8c88baa4963\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_f262f651463a3d74\" target=\"_blank\" rel=\"noopener\">0ba93109757776a44de9d8c88baa4963<\/a> Financial Reports(C1).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/02bb20455cc592a69c080abac770ce90\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_818295565622b355\" target=\"_blank\" rel=\"noopener\">02bb20455cc592a69c080abac770ce90<\/a> Le formulaire de demande le plus r\u00e9cent .vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6c39900d77dcba158e1d27c7619cb06d\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_95a9b0f6f5bb214c\" target=\"_blank\" rel=\"noopener\">6c39900d77dcba158e1d27c7619cb06d<\/a> Outstanding Balance Sheet(A).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dad708e050632a4280cabf98ac1376b7\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_7ee745ed263fdaf7\" target=\"_blank\" rel=\"noopener\">dad708e050632a4280cabf98ac1376b7<\/a> Outstanding Balance Sheet.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/05d188f071d097f5b6bd8138749b4b14\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_51ca25aa8cf0a66b\" target=\"_blank\" rel=\"noopener\">05d188f071d097f5b6bd8138749b4b14<\/a> Penyata bank.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2c6f05f1f309d89b2236e6c8b59c88f9\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_bdcc9effc1f82312\" target=\"_blank\" rel=\"noopener\">2c6f05f1f309d89b2236e6c8b59c88f9<\/a> Account Statement\uff0813K\uff09 (2).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/3b1aba44dd3d9b6339b6f56e2f42034b\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_a0e8c0461342b59c\" target=\"_blank\" rel=\"noopener\">3b1aba44dd3d9b6339b6f56e2f42034b<\/a> Statement of Account.txt<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d43fdaa1f0ee09d7e5f0f94ee9df7b6c\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_48e24e5376ce8aab\" target=\"_blank\" rel=\"noopener\">d43fdaa1f0ee09d7e5f0f94ee9df7b6c<\/a> Bitte f\u00fcllen Sie das Formular f\u00fcr Umsatzsteuer-Nullsatz-Verk\u00e4ufe aus.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/df4fa0369eaca5cec348be293890d4af\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_38435347344c6f81\" target=\"_blank\" rel=\"noopener\">df4fa0369eaca5cec348be293890d4af<\/a> Account Statement.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/63ac85195b73753333316a889cf5880f\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2b53e585382c7a34\" target=\"_blank\" rel=\"noopener\">63ac85195b73753333316a889cf5880f<\/a> Statement of Account(O).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/74fd9f91fc93b6288b4fc253ea5b3e20\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_d18d53bb80ae1677\" target=\"_blank\" rel=\"noopener\">74fd9f91fc93b6288b4fc253ea5b3e20<\/a> Sila semak bil anda.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d06333c360b51456f427e616c3c5f8bd\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2b7fb3ed77aa1ef3\" target=\"_blank\" rel=\"noopener\">d06333c360b51456f427e616c3c5f8bd<\/a> Sila semak bil anda.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/993f4c0cadbc769a4b0ed62a918db58d\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2b016a36c55c4a04\" target=\"_blank\" rel=\"noopener\">993f4c0cadbc769a4b0ed62a918db58d<\/a> FinancialReportsS.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1d94fbe9cab21278cc3f104bea334d08\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_2fc753c9815ee0a8\" target=\"_blank\" rel=\"noopener\">1d94fbe9cab21278cc3f104bea334d08<\/a> Promissory_Note(b).vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9d9ac85765e4a818a3ccabe2cf4fef82\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_df59682da48fe262\" target=\"_blank\" rel=\"noopener\">9d9ac85765e4a818a3ccabe2cf4fef82<\/a> Debt Statement.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6fb6a55424adfb61e31f06aef33273e5\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_07e695b8065163f1\" target=\"_blank\" rel=\"noopener\">6fb6a55424adfb61e31f06aef33273e5<\/a> dfjieya.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f90ed4b2d0b67114aa89ddfed658e5c0\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_508d8dc6ce0713fc\" target=\"_blank\" rel=\"noopener\">f90ed4b2d0b67114aa89ddfed658e5c0<\/a> dfjieya.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8c3322009b8982663c0cbecd9492e7eb\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_97b53fb7e8334483\" target=\"_blank\" rel=\"noopener\">8c3322009b8982663c0cbecd9492e7eb<\/a> 0lf.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/66705384a7ad81d14c34fc6c054a0ecf\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_cf63e29f19b28c64\" target=\"_blank\" rel=\"noopener\">66705384a7ad81d14c34fc6c054a0ecf<\/a> iowepv.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8c6d9fc389ad3f20ccbc71d77eb39bfa\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_7a476ebfd0d22877\" target=\"_blank\" rel=\"noopener\">8c6d9fc389ad3f20ccbc71d77eb39bfa<\/a> btksfmsi.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1a3cc75466ffb1971482f7abf7aabc3f\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_a2b7bc626461a08c\" target=\"_blank\" rel=\"noopener\">1a3cc75466ffb1971482f7abf7aabc3f<\/a> home3.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1c47c63e5ed25060d95359c57c77b107\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_4fb13fd3edbe5df4\" target=\"_blank\" rel=\"noopener\">1c47c63e5ed25060d95359c57c77b107<\/a> zipats.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/31037a42ca048e06e69a78f55bc2eff5\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_e8279ede56a6cb76\" target=\"_blank\" rel=\"noopener\">31037a42ca048e06e69a78f55bc2eff5<\/a> 1122.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7f16449cd0c4862d1eadf8a5742bf09a\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_9239e6e796f926ad\" target=\"_blank\" rel=\"noopener\">7f16449cd0c4862d1eadf8a5742bf09a<\/a> payload_1.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/79ecd61b09b0f2d54b34586c916c4ec9\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_8c7c6261ee99b886\" target=\"_blank\" rel=\"noopener\">79ecd61b09b0f2d54b34586c916c4ec9<\/a> sac8.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7849061c536a3efb05a56d504694e7e7\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_c7121d3b8324de0d\" target=\"_blank\" rel=\"noopener\">7849061c536a3efb05a56d504694e7e7<\/a> 6oy.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ddaffe9849f7f3c79f8804adb9a6b3d5\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_7cfed129fb478e15\" target=\"_blank\" rel=\"noopener\">ddaffe9849f7f3c79f8804adb9a6b3d5<\/a> kof.vbs<br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d01cad98dd0d01b75e04e784953c5e2b\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_5f363fdf8fd4c87d\">d01cad98dd0d01b75e04e784953c5e2b<\/a> sleestak_payload_1.vbs<\/p>\n<h3 id=\"domains\">Domains<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/temu.baskwms.top\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_7f98850a75731cd6\" target=\"_blank\" rel=\"noopener\">temu.baskwms[.]top<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/invoice.msopsa.top\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_527c19a81ed0152f\" target=\"_blank\" rel=\"noopener\">invoice.msopsa[.]top<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/baoxis.cc\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_248b75deb0a98e12\" target=\"_blank\" rel=\"noopener\">baoxis[.]cc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/sdcwww.oss-ap-southeast-1.aliyuncs.com\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_18495e231535de8b\" target=\"_blank\" rel=\"noopener\">sdcwww.oss-ap-southeast-1.aliyuncs[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/baoyuw2s.s3.ap-southeast-1.amazonaws.com\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_bc1d0aaaee8d1a6b\" target=\"_blank\" rel=\"noopener\">baoyuw2s.s3.ap-southeast-1.amazonaws[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/sjdkjj23.s3.ap-southeast-1.amazonaws.com\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_fe4ce66e75eeda79\" target=\"_blank\" rel=\"noopener\">sjdkjj23.s3.ap-southeast-1.amazonaws[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/xijkwm2.s3.ap-southeast-1.amazonaws.com\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_09d08f3b444ef4b0\" target=\"_blank\" rel=\"noopener\">xijkwm2.s3.ap-southeast-1.amazonaws[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/yifubafu.s3.ap-southeast-1.amazonaws.com\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_4c201b37faf63d62\" target=\"_blank\" rel=\"noopener\">yifubafu.s3.ap-southeast-1.amazonaws[.]com<\/a><\/p>\n<h3 id=\"attacker-controlled-uems-server-ip-address\">Attacker-controlled UEMS server IP Address<\/h3>\n<p><a href=\"https:\/\/opentip.kaspersky.com\/202.61.160.202\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_ab08282384d023ef\" target=\"_blank\" rel=\"noopener\">202.61.160[.]202<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/202.61.160.201\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_3a304240de088d04\" target=\"_blank\" rel=\"noopener\">202.61.160[.]201<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/202.61.160.137\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_0bbdc3f09cef9638\" target=\"_blank\" rel=\"noopener\">202.61.160[.]137<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/202.61.160.160\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_6a6a54953bad0efa\" target=\"_blank\" rel=\"noopener\">202.61.160[.]160<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/202.61.160.208\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_27325137d6fff661\" target=\"_blank\" rel=\"noopener\">202.61.160[.]208<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/38.55.151.63\/?utm_source=sl&amp;utm_medium=sl&amp;utm_campaign=sl&amp;icid=gl_sl_opentip-lnk_sm-team_6bf6fd24bfab2225\" target=\"_blank\" rel=\"noopener\">38.55.151[.]63<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90,99,232,233,259,1321,273,629,257],"tags":[91],"class_list":["post-3784","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-malware","category-malware-descriptions","category-malware-technologies","category-microsoft-windows","category-rmm","category-vbs","category-whatsapp","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-22T10:04:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"A VBScript campaign distributed through WhatsApp deploying RMM software\",\"datePublished\":\"2026-06-22T10:04:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\"},\"wordCount\":2689,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"Microsoft Windows\",\"RMM\",\"VBS\",\"WhatsApp\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\",\"name\":\"A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\",\"datePublished\":\"2026-06-22T10:04:26+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A VBScript campaign distributed through WhatsApp deploying RMM software\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/","og_locale":"en_US","og_type":"article","og_title":"A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited","og_description":"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-06-22T10:04:26+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"A VBScript campaign distributed through WhatsApp deploying RMM software","datePublished":"2026-06-22T10:04:26+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/"},"wordCount":2689,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["Cybersecurity","Malware","Malware descriptions","Malware Technologies","Microsoft Windows","RMM","VBS","WhatsApp","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/","name":"A VBScript campaign distributed through WhatsApp deploying RMM software - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg","datePublished":"2026-06-22T10:04:26+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/06\/22071117\/SL-WhatsApp-VBS-RMM-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/22\/a-vbscript-campaign-distributed-through-whatsapp-deploying-rmm-software\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"A VBScript campaign distributed through WhatsApp deploying RMM software"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3784"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3784\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}