WhatsApp VBScript Phishing Campaign Exploits Trusted Platform for Remote Access
Attackers are conducting a multi-country phishing campaign via WhatsApp that distributes malicious VBScript files disguised as business documents, enabling remote code execution and system compromise on Windows PCs.
Affected
This campaign represents a straightforward but effective exploitation of WhatsApp's position as a trusted communication channel. Attackers send messages containing business document lures (invoices, reports, contracts) that actually deliver VBScript payloads. VBScript's native execution capability on Windows, combined with its ability to be obfuscated and executed without compilation, makes it an enduring choice for initial access despite being recognised as a malware vector for over two decades.
The technical infection chain likely involves either direct VBScript execution or a multi-stage approach where the script downloads secondary payloads enabling remote access. VBScript payloads can disable security controls, establish persistence, and establish reverse shells with minimal detection friction. The choice of business document pretexts is deliberate: recipients are primed by workplace routines to open such files, creating cognitive vulnerability that bypasses technical defences.
The multi-country scope indicates either widespread targeting or an organised campaign with distributed delivery. WhatsApp's end-to-end encryption is irrelevant here since the malicious payload is the message content itself, not a compromise of the platform. This highlights a persistent gap: cryptographic security of transport does not prevent social engineering exploitation of that transport.
Defenders should implement execution policies restricting VBScript and Windows Script Host on endpoints, educate users to avoid opening documents from untrusted sources via messaging apps (distinct from email), and monitor for suspicious VBScript execution and unsigned script activity in logs. Organisations should consider disabling WScript.exe and CScript.exe entirely where business need permits. Detection should focus on WhatsApp file downloads being executed directly, particularly with suspicious parent processes or network callbacks immediately following execution.
This campaign underscores that platform popularity becomes a threat multiplier when adversaries have unfettered distribution channels. The relative novelty here is minimal, but the effectiveness remains high precisely because it combines familiar social engineering with a legitimate scripting language, making detection and user training genuinely difficult at scale.
Sources