WhatsApp VBScript Campaign Delivers Fake Documents to Deploy ManageEngine RMM Tool

Threat actors are using direct messages on WhatsApp to distribute malicious Visual Basic Script (VBScript) files that ultimately install legitimate Remote Monitoring and Management (RMM) software on victims’ devices.

According to findings from Kaspersky, the ongoing campaign targets users of WhatsApp Desktop and WhatsApp Web in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia accounts for the highest number of observed victims.

“The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment,” security researcher Fareed Radzi said. “Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system.”

The heavily obfuscated VBScript files masquerade as legitimate business and financial documents, using filenames such as “Financial Reports.vbs” and “Account Statement.vbs.” To broaden their reach, some samples use localized filenames in languages including Portuguese, French, German, and Malay, underscoring the campaign’s global scope.

“Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts,” Kaspersky said. “Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.”