WhatsApp Malware Campaign Uses VBS and MSI Backdoors

Introduction

Microsoft has published details on a sophisticated malware campaign that starts with WhatsApp-delivered VBS files and ends with persistent remote access through malicious MSI installers. For IT and security teams, this matters because the attackers abuse legitimate Windows tools and trusted cloud platforms, making the activity harder to distinguish from normal enterprise traffic.

What’s new in this campaign

Microsoft Defender Experts observed the campaign beginning in late February 2026. The attack chain includes multiple stages designed to evade detection and maintain long-term access:

• Initial access through WhatsApp: Attackers send malicious .vbs files via WhatsApp messages, relying on user trust in familiar communication apps.
• Use of renamed Windows tools: The scripts copy legitimate utilities such as curl.exe and bitsadmin.exe, then rename them to misleading filenames like netapi.dll and sc.exe.
• Payload delivery from trusted cloud services: Secondary payloads are downloaded from services including AWS S3, Tencent Cloud, and Backblaze B2.
• Privilege escalation and persistence: The malware tampers with UAC-related registry settings and repeatedly attempts elevated command execution.
• Final-stage MSI backdoors: Unsigned MSI files such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi are used to establish remote access.

Why this is significant

This campaign combines several trends defenders are seeing more often:

• Living-off-the-land techniques using native Windows binaries
• Cloud-hosted malware delivery that blends into legitimate traffic
• Social engineering through consumer messaging platforms
• Persistence through MSI installers that may appear routine in managed environments

A notable detection opportunity is the mismatch between a file’s actual name and its embedded OriginalFileName PE metadata. Security tools that inspect this metadata may be able to flag renamed binaries more effectively.

Impact on IT administrators

Security and endpoint teams should assume that blocking by file type alone is not enough. The campaign can bypass casual inspection by using hidden folders, trusted download sources, and legitimate administrative tooling.

Organizations using Microsoft Defender should pay particular attention to:

• Script host activity from untrusted paths (wscript, cscript, mshta)
• Registry changes tied to UAC behavior
• Unsigned MSI execution
• Network connections to cloud object storage used for payload staging
• Endpoint detections tied to renamed binaries and suspicious command-line flags

Recommended next steps

• Restrict script execution in untrusted locations where possible.
• Enable cloud-delivered protection in Microsoft Defender Antivirus.
• Run Defender for Endpoint EDR in block mode to stop artifacts missed by other controls.
• Monitor cloud traffic for suspicious downloads from AWS, Tencent Cloud, and Backblaze B2.
• Train users to avoid opening unexpected WhatsApp attachments, even from seemingly trusted contacts.

This campaign is a reminder that trusted apps, legitimate tools, and common cloud services can all be weaponized. Defenders should combine endpoint telemetry, cloud traffic inspection, and user awareness to reduce exposure.