Kaspersky has uncovered a large-scale malware campaign targeting WhatsApp Desktop and WhatsApp Web users by sending malicious VBScript attachments through direct messages from previously compromised WhatsApp accounts.
The campaign was discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in June 2026 and has affected users across multiple countries and territories, with Malaysia recording the highest number of observed victims.
Compromised accounts used to spread malware
According to Kaspersky, attackers use previously compromised WhatsApp accounts to send malicious attachments to the account owner’s existing contacts. Since the messages originate from trusted contacts, recipients are more likely to open the files.
The malicious attachments are disguised as routine business documents, including invoices, bank statements, account statements, payment records, and debt notices.
Kaspersky also observed file names in multiple languages, including English, Portuguese, French, German, and Malay, indicating broad regional targeting across different language regions, particularly Europe.
To further appear legitimate, the VBScript samples contain extensive comments and metadata designed to mimic Microsoft Windows Update components.
How the attack works
Once the malicious VBScript file is opened, it triggers a multi-stage scripted sequence on the affected system. The initial script creates a working directory under C:\Users\Public\Documents\, downloads additional script files from external infrastructure, and executes them using Windows Script Host.
The follow-up scripts perform additional system actions before downloading a compressed archive from the same infrastructure. The archive contains an installation package for remote monitoring and management (RMM) software, which enables attackers to gain remote access to the infected system using legitimate administrative capabilities intended for IT support and system management.
Countries affected
Kaspersky identified victims across multiple countries and territories, including:
- Malaysia (highest number of observed victims)
- Brazil
- Singapore
- Taiwan
- Vietnam
The full technical report is available on Securelist.
Kaspersky’s recommendations
Kaspersky recommends users:
- Be cautious when receiving unexpected attachments through WhatsApp, even if they appear to come from known contacts, as they may execute malware.
- Do not open script or executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 unless their legitimacy has been independently verified.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
Speaking on the findings, Fareed Radzi, Security Researcher at Kaspersky GReAT, said:
In this campaign, attackers exploit trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to come from known contacts, making recipients far more likely to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localized across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure.