Microsoft researchers identified a sophisticated cyberattack campaign beginning in late February that uses WhatsApp to deliver malicious software to unsuspecting users. The attack chain employs social engineering to trick recipients into executing Visual Basic Script (VBS) files, which eventually grant attackers full control over the victim's machine. This campaign targets users by leveraging trusted messaging platforms to bypass traditional security perceptions.
Execution of 'Living off the Land' Tactics
The attack begins when a user opens a malicious file, likely sent from a compromised contact or via an urgent lure. Once executed, the script creates hidden folders in the system's ProgramData directory and deploys renamed versions of legitimate Windows utilities. For example, the attackers renamed curl.exe as netapi.dll and bitsadmin.exe as sc.exe to blend in with normal network activity.
Security professionals refer to this technique as "living off the land," where legitimate system tools are repurposed for malicious intent. However, Microsoft noted that these binaries retain their original metadata, providing a critical detection signal for security software. This discrepancy allows tools like Microsoft Defender to flag files when the name does not match the embedded original filename.
Deployment of Remote Access Tools
After establishing a foothold, the malware downloads secondary payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. These services help the attackers avoid detection by making the downloads appear as standard enterprise traffic. The malware then attempts to elevate its privileges by altering User Account Control (UAC) settings to ensure it survives a system reboot.
In the final stage, the attackers deploy unsigned MSI installers, including files disguised as WinRAR, AnyDesk, and LinkPoint. By using real tools like AnyDesk, the criminals can maintain remote access to the system without triggering custom malware alerts. These installers enable the theft of sensitive data or the deployment of more destructive software, such as ransomware.
"Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Microsoft advised in a Tuesday blog post.
Broader Cybersecurity Implications
This campaign highlights a growing trend where attackers move away from email-based phishing toward encrypted messaging apps to initiate breaches. By exploiting the inherent trust users place in their contact lists, criminals can achieve higher success rates in social engineering. This shift forces organizations to expand their security training beyond traditional inbox hygiene.
As these attacks become more common, enterprises must prioritize the monitoring of unsigned installers and unexpected cloud service traffic. The use of legitimate administrative tools for malicious purposes suggests that behavioral analysis will become more important than simple file scanning. Future defenses will likely focus on stricter identity verification and zero-trust architectures to mitigate these risks.