Microsoft researchers issued a warning on Tuesday regarding a multi-stage cyberattack campaign that utilizes WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The campaign, which began in late February, tricks users into executing scripts that allow attackers to gain full remote control of infected systems and access sensitive data. The attack targets individuals and corporate employees by exploiting trust within the messaging platform.
Execution of 'Living off the Land' Techniques
The attack begins when a recipient opens a malicious Visual Basic Script (VBS) file, likely sent from a compromised contact or via an urgent lure. Once executed, the script creates hidden folders in the system directory and deploys renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe. By using authentic system tools for malicious purposes, the attackers attempt to blend in with normal network activity to avoid detection.
However, Microsoft noted that the attackers made a critical error in the renaming process. The renamed binaries retain their original Portable Executable metadata, which allows security software to identify the discrepancy between the filename and the actual identity of the tool.
"This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file's name does not match its embedded OriginalFileName," Microsoft researchers wrote in a blog post.
Deployment of Remote Access Payloads
Following the initial breach, the malware downloads secondary payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. This strategy further obscures the attack by making malicious traffic appear as legitimate enterprise cloud communication. The malware then attempts to elevate its privileges by altering User Account Control (UAC) settings to ensure persistence after a system reboot.
In the final stage, the attackers deploy unsigned MSI installers disguised as common software like WinRAR, AnyDesk, and LinkPoint. Because these installers are not digitally signed, they serve as a primary indicator for security teams that the software is fraudulent. These tools provide the attackers with a persistent backdoor to steal data or deploy ransomware.
Corporate Vulnerability and Social Engineering
This campaign highlights a growing trend of attackers moving away from traditional email phishing toward encrypted messaging apps. The use of trusted platforms like WhatsApp increases the success rate of social engineering, as users are generally less suspicious of messages received on their mobile devices than those in an inbox.
This shift mirrors previous attacks where compromised sessions were used to target high-value corporate targets. The reliance on legitimate tools—a method known as "living off the land"—demonstrates an evolving sophistication in how cybercriminals bypass traditional antivirus signatures.
Microsoft recommends that organizations prioritize employee training to recognize suspicious attachments on non-corporate platforms. The company emphasizes that reinforcing the risks of familiar apps is essential to preventing unauthorized system access. Security professionals should monitor for unsigned MSI packages and metadata mismatches in system binaries.