A malware campaign using compromised WhatsApp accounts to distribute fake business and financial documents has targeted Windows computers across several countries, including India. According to cybersecurity firm Kaspersky, the files launch an infection chain that installs remote administration software, potentially giving attackers control over victims’ machines.
Trusted Accounts Used to Spread Malicious Files
Attackers first compromise WhatsApp accounts and then use them to send malicious files to people in the account holder’s contact list. Because the messages appear to come from known contacts, recipients may be more likely to trust and open the attachments.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
The files are named to resemble financial reports, billing statements, payment notifications, account documents and other business records. Researchers found filenames localised in several languages, indicating that the campaign was designed to target users across different regions.
Cybercrime expert and former IPS officer Prof. Triveni Singh said users should not assume an attachment is safe merely because it came from a familiar contact. Unexpected files should be verified through a separate communication channel before they are opened.
VBScript Launches Multi-Stage Infection
The attack begins when a recipient downloads and executes a heavily obfuscated VBScript file on a Windows computer. The script silently connects to attacker-controlled infrastructure and downloads additional components.
These scripts modify system settings, weaken security protections and retrieve a ZIP archive containing software that is then installed on the compromised computer.
Researchers found that the attackers abuse ManageEngine Endpoint Central, a legitimate enterprise IT administration tool used to manage computers and networks. Instead of deploying malware directly, they install the trusted software and configure it to communicate with servers controlled by the attackers.
This can provide remote administration capabilities, allowing threat actors to access files, monitor activity, install additional malware, steal information or move through corporate networks.
India Among Countries Affected
The campaign has been detected in India, Brazil, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam and Malaysia.
Researchers have not attributed the operation to a specific threat group. They found some Chinese-language elements and infrastructure overlaps with activity previously associated with ValleyRAT and Gh0st RAT, but said the evidence was insufficient for definitive attribution.
Cybersecurity researchers associated with the Future Crime Research Foundation have advised users to avoid opening unsolicited attachments received through messaging platforms, keep security software updated and scan downloaded files before running them.
Independent verification, user awareness and layered security controls remain important safeguards against malware campaigns that exploit trust within personal and professional networks.
