Microsoft researchers announced on Tuesday that a sophisticated cyberattack campaign is utilizing WhatsApp to deliver malicious Microsoft Installer (MSI) packages. The campaign, which began in late February, targets users through social engineering to gain full remote control of infected machines and access private data. This multi-stage attack chain begins with the delivery of malicious Visual Basic Script (VBS) files via the messaging platform.
Living Off the Land Tactics
According to a report by The Register, the attackers employ a technique known as "living off the land" by using legitimate Windows utilities to avoid detection. The malicious scripts create hidden folders in the system's ProgramData directory and rename standard tools, such as renaming curl.exe to netapi.dll. This method allows the malware to blend in with normal network activity, making it harder for traditional security software to flag the intrusion.
However, Microsoft noted that the attackers made a critical error in the execution of this tactic. The renamed binaries retain their original Portable Executable metadata, which identifies their true origin. This discrepancy allows Microsoft Defender and other security solutions to detect the mismatch between the file name and the embedded metadata.
Multi-Stage Payload Delivery
Once the initial script is executed, the malware downloads secondary VBS payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. These secondary payloads attempt to alter User Account Control (UAC) settings to launch the command prompt with elevated privileges. If successful, the malware ensures it can survive a system reboot, establishing a persistent presence on the device.
The final stage involves the deployment of unsigned MSI installers, such as Setup.msi and AnyDesk.msi. By using legitimate tools like AnyDesk, attackers can hide their remote access capabilities in plain sight. These installers grant the criminals the ability to steal data, deploy ransomware, or use the compromised machine to launch further attacks on a larger network.
The Role of Social Engineering
This campaign highlights a growing trend where attackers exploit trusted communication channels to bypass technical defenses. By using compromised accounts, the malicious messages often appear to come from a victim's existing contacts, increasing the likelihood of the file being opened. This shift toward identity-based deception makes traditional perimeter security less effective.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in its security blog.
Broader Cybersecurity Implications
This incident underscores the vulnerability of enterprise environments to mobile-originated threats. As professional communication increasingly migrates to platforms like WhatsApp, the boundary between personal and corporate security has blurred. Organizations must now treat messaging apps as primary attack vectors rather than secondary communication tools.
Industry analysts expect a rise in similar "living off the land" attacks as cybercriminals refine their ability to mimic legitimate system behavior. Future defenses will likely rely more heavily on behavioral analysis and metadata verification rather than simple file-name scanning. Companies are encouraged to implement strict employee training and multi-factor authentication to mitigate these risks.