WhatsApp accounts were hijacked to spread fake debt notices that install remote access software, giving attackers control of victims’ PCs.Kaspersky published a technical analysis this week of an active malware campaign that spreads through WhatsApp messages and ends with a remote management tool silently installed on the victim’s machine. The campaign is still running as of June 22, 2026, and has hit users across Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. Eighty percent of confirmed victims are in Malaysia.“The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment.” reads the report published by Kaspersky. “Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system.” The files arrive with names like “Statement of Debt(30K).vbs” or “Outstanding Payment List.vbs,” localized into Portuguese, French, German, and Malay for different targets. Someone put real effort into this. File names in six languages are not the work of someone running a quick side hustle.The messages come from contacts the victim already knows, which is the whole point. “Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists.” continues Kaspersky. “At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”The messages contained only the attachment with no accompanying text, and one compromised account sent the same file to multiple contacts at once. How those WhatsApp accounts were taken over in the first place is still unknown.The infection runs in three stages. The first VBScript creates a hidden working directory under C:\Users\Public\Documents\ and downloads two more scripts from attacker-controlled servers. The scripts use heavy obfuscation including randomized variable names, string concatenation built character by character, and chunks of junk content, and they even embed fake Windows Update comments written in Chinese to make the code look like a legitimate Microsoft component.The second stage scripts handle two things separately: one tries to disable Windows’ UAC prompt by modifying a registry key so administrative actions stop asking for confirmation, and the other downloads a ZIP archive containing the actual payload. The UAC-modification script runs the registry change in a loop with short delays between attempts, trying repeatedly until it either succeeds or the user dismisses enough prompts to give up.What’s inside that ZIP is a pre-configured ManageEngine Endpoint Central deployment package, a legitimate enterprise remote management tool. The setup script installs it silently so the user sees nothing, then connects the newly installed agent to attacker-controlled management servers. One of those server IPs, 202.61.160.201, had previously appeared in infrastructure linked to ValleyRAT and Gh0st RAT activity. “Although the overlap raises the possibility of the VBS campaign being linked to the operator of these known malware families, the available evidence is insufficient to confidently attribute the campaign to a known threat actor.” Kaspersky assesses with low confidence that the operator is Chinese-speaking, based on the simplified Chinese comments embedded throughout the scripts.The practical takeaway is simple: VBS, VBE, BAT, CMD, JS, and PS1 files don’t belong in a WhatsApp chat, even from a contact you trust. If someone sends you a financial document through a messaging app with no accompanying message, that’s not how accountants work.“Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts.” concludes the report. “Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, WhatsApp)