A sophisticated WhatsApp malware campaign has been actively targeting Windows users since late February 2026, according to Microsoft Defender Security Research Team. The attack combines trusted platforms with legitimate Windows utilities to evade detection and establish persistent system control, making it a significant threat to users who assume end-to-end encryption provides complete protection.
Key Takeaways
- WhatsApp malware campaign observed since late February 2026, targeting Windows desktop users globally.
- Attack uses Visual Basic Script (VBS) files delivered via WhatsApp attachments to trigger multi-stage infection.
- Employs “living-off-the-land” techniques: renames legitimate Windows tools like curl.exe and bitsadmin.exe to evade detection.
- Downloads secondary payloads from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2.
- Deploys AnyDesk and unsigned MSI packages for persistent remote access and data exfiltration.
How the WhatsApp Malware Campaign Works
The attack begins when a user receives a WhatsApp message containing a malicious VBS file attachment. Once executed, the script initiates a multi-stage infection chain designed to establish remote access and maintain persistence across system reboots. The initial payload creates hidden folders within C:ProgramData and drops renamed versions of legitimate Windows utilities, disguising malicious activity as normal system operations.
What makes this WhatsApp malware campaign particularly effective is its use of “living-off-the-land” (LOTL) techniques. The threat actor renames curl.exe to netapi.dll and bitsadmin.exe to sc.exe, then stores these tools in hidden directories. By leveraging Windows’ own legitimate binaries, the attack blends smoothly with normal system traffic and evades traditional endpoint detection systems that rely on recognizing known malicious executables.
The renamed utilities then download secondary VBS payloads—such as auxs.vbs and 2009.vbs—from seemingly legitimate cloud storage services. According to Microsoft, “By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution”. This approach exploits user trust in well-known services like AWS, making security teams less likely to block traffic to these platforms.
Privilege Escalation and Persistence Mechanisms
Once the secondary payloads are downloaded, the malware escalates its privileges without requiring additional user interaction. It bypasses User Account Control (UAC) through registry manipulation and repeated command-line launches with elevated permissions. These registry changes grant the malware admin-level control and ensure it survives system reboots, creating a persistent backdoor on the infected machine.
The campaign then deploys unsigned Microsoft Installer (MSI) packages, which install tools like AnyDesk for remote access. This stage enables the threat actor to exfiltrate sensitive data, install additional malware, or maintain long-term control of the compromised system. The entire infection chain relies on social engineering to trick users into opening the initial VBS attachment, making human error the critical failure point.
Why WhatsApp Malware Campaign Poses a Unique Risk
Unlike previous WhatsApp vulnerabilities that allowed arbitrary code execution through platform flaws, this campaign is purely social engineering-based. Users often assume that end-to-end encryption provides complete protection, but as Adam Boynton, Senior Enterprise Strategy Manager at Jamf, notes: “Users often assume end-to-end encryption means end-to-end protection, but that’s not the case”. Encryption protects messages in transit—it does not prevent users from opening malicious attachments.
The WhatsApp malware campaign also differs from traditional phishing attacks because it exploits trust in both the messaging platform and cloud infrastructure. Similar campaigns have targeted WhatsApp and Signal users through phishing, QR codes, login code theft, and unexpected group chats, particularly affecting government officials and individuals with access to sensitive information. This latest threat demonstrates how attackers combine multiple evasion layers—social engineering, legitimate tools, and trusted cloud services—to maximize success rates.
How to Protect Against This WhatsApp Malware Campaign
Microsoft recommends users enable WhatsApp’s Strict Account Settings to reduce exposure. These settings, found under Settings > Privacy > Advanced, silence calls from unknown numbers, block attachments from users not in your contacts, and disable link previews. While these measures do not eliminate risk entirely, they significantly reduce the attack surface by preventing unsolicited file delivery.
Users should exercise extreme caution when receiving unexpected files via WhatsApp, even from contacts whose accounts may have been compromised. The WhatsApp malware campaign relies on social engineering lures that remain unknown to the public, meaning attackers customize messages to appear credible. Never execute files from untrusted sources, and keep Windows systems fully patched with the latest security updates. Organizations should also monitor for suspicious registry modifications, unusual command-line activity, and outbound connections to cloud storage services.
Is WhatsApp desktop more vulnerable than the mobile version?
The WhatsApp malware campaign specifically targets the Windows desktop application, not mobile versions. This is because Windows systems offer attackers greater flexibility for privilege escalation, registry manipulation, and persistent malware installation compared to mobile operating systems, which enforce stricter sandboxing and permission models.
Can WhatsApp’s encryption be bypassed by this malware?
No. The WhatsApp malware campaign does not exploit encryption—it exploits user behavior. Encryption protects message content in transit, but it cannot prevent a user from opening a malicious attachment. Once a file is downloaded and executed locally, encryption is irrelevant.
What should I do if I’ve already opened a suspicious WhatsApp attachment?
If you suspect you have executed a malicious VBS file, immediately disconnect the infected PC from the network and run a full system scan using updated antivirus software. Check your Windows registry for unauthorized changes and review running processes for unfamiliar applications like AnyDesk. Consider seeking professional IT support to verify the system is clean before reconnecting to the network or accessing sensitive accounts.
The WhatsApp malware campaign underscores a fundamental security principle: no platform is secure if users become the weakest link. Microsoft’s warning serves as a timely reminder that attackers continue to evolve their tactics, blending social engineering with sophisticated technical evasion to compromise systems. Staying informed, maintaining strict attachment policies, and enabling protective features in messaging apps are essential defenses in an increasingly hostile threat landscape.
Edited by the All Things Geek team.
Source: TechRadar


