Microsoft researchers issued a warning on Tuesday regarding a sophisticated cyberattack campaign that uses WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The operation, which began in late February, allows attackers to gain full remote access to infected machines and steal sensitive data. This multi-stage attack targets users through social engineering to execute malicious scripts on their systems.
Living off the Land Tactics
The attack chain begins when a recipient opens a malicious Visual Basic Script (VBS) file delivered via a WhatsApp message. Once executed, the script creates hidden folders in the system directory and drops renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe. By using authentic system tools for malicious purposes, attackers can blend in with normal network activity to avoid security triggers.
However, Microsoft noted that the attackers made a critical error by retaining the original metadata of these renamed binaries. This discrepancy allows security software to flag the files when the name does not match the embedded original file name. The attackers then use these tools to download secondary payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2.
Escalation and Remote Access
After the initial infection, the malware attempts to modify User Account Control (UAC) settings to launch the command prompt with elevated privileges. If successful, the malware ensures it survives a system reboot, providing a persistent foothold on the device. The final stage involves the deployment of unsigned MSI installers, including fake versions of AnyDesk and WinRAR.
These installers provide the attackers with remote access to the victim's system, which can be used to exfiltrate data or deploy ransomware. Because the attackers use legitimate remote-access software like AnyDesk, the activity often appears normal to an untrained eye. The lack of digital signatures on these final payloads serves as a primary indicator of compromise for defenders.
The Growing Threat of Social Engineering
This campaign reflects a broader shift in cybercrime toward exploiting trusted communication platforms to bypass traditional email filters. By potentially using compromised accounts to send messages from known contacts, attackers increase the likelihood that a victim will trust a malicious attachment. This method bypasses many perimeter defenses that focus primarily on corporate email gateways.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in its official blog.
Future Security Implications
Corporate security teams must now expand their monitoring to include mobile messaging applications used for business communication. The use of trusted cloud infrastructure to host payloads suggests that simple IP blocking is no longer a sufficient defense strategy. Organizations are expected to increase investment in endpoint detection and response (EDR) tools that can identify metadata discrepancies.
Industry analysts suggest that as encryption in messaging apps grows, attackers will rely more heavily on human error than technical vulnerabilities. The focus of cybersecurity is shifting toward continuous employee education to mitigate the risks of social engineering. Future updates from Microsoft and Meta are expected to address these evolving delivery vectors.