WhatsApp users are being urged to treat unexpected files with caution, even when they appear to come from a trusted contact. Security researchers have uncovered a malware campaign that abuses WhatsApp Desktop and WhatsApp Web to spread malicious scripts after taking over a victim’s account.
The tactic is especially effective because the message appears to come from someone already in the recipient’s circle. Once an account is compromised, attackers send harmful attachments to the contact list and rely on trust to get the file opened.
How the attack reaches new victims
Kaspersky’s Global Research and Analysis Team identified the campaign in June 2026. The reported victims were located in Brazil, Singapore, Taiwan, Vietnam, and Malaysia, with Malaysia seeing the highest number of cases.
The files were disguised as everyday documents that people may not think twice about opening. Examples included invoices, bank statements, proof-of-payment records, and debt notices.
| Observed Detail | What Attackers Used |
|---|---|
| Delivery method | Compromised WhatsApp accounts |
| File disguise | Invoices, bank statements, payment proof, debt notices |
| Known victim locations | Brazil, Singapore, Taiwan, Vietnam, Malaysia |
Attackers also used file names in multiple languages, suggesting the operation was not limited to one region. The naming pattern points to broader targeting that could reach parts of Europe as well.
VBScript hidden behind a Windows Update disguise
Beneath the ordinary-looking file name was a malicious VBScript payload. The attackers added fake comments and metadata to make the file appear like a legitimate Microsoft Windows Update component.
Fareed Radzi, senior security researcher at Kaspersky GReAT, said the campaign relies heavily on psychological manipulation. Once a victim opens the fake file, the infection chain begins quietly in the background without immediate signs of trouble.
The first stage creates a hidden working folder on the victim’s computer. The script then uses Windows Script Host to retrieve additional script files from an external server controlled by the attackers.
Remote access can follow
The infection chain does not end with the script download. The next stage pulls down a compressed archive containing an installation package for remote monitoring and management software.
When that software is activated, the attackers can gain full administrative access to the victim’s computer. From there, they are able to control the device, monitor activity, and steal important data remotely.
This approach helps the attackers avoid immediate suspicion because the message often arrives from a familiar number. Recipients may assume the file is legitimate and open it without verifying the request through another channel.
Safer habits when receiving files on WhatsApp
Kaspersky advises users to stay skeptical of unexpected attachments, even if they appear to come from a friend, colleague, or family member. Every file should be checked before it is opened, especially when the message creates urgency or pressure.
Users should also watch for risky file extensions such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1. Verifying the message through another channel, such as a phone call, is an important step before opening anything suspicious.
Extra protection is also recommended on both computers and mobile devices. Strong, up-to-date security software such as Kaspersky Premium can help detect and block suspicious activity automatically.
The broader lesson is that the biggest security weakness often comes from user inattention rather than the messaging app’s encryption. Careful checking of every incoming document remains one of the most effective ways to keep personal data safe online.
