A new malware campaign is abusing trust inside WhatsApp conversations, with malicious files arriving through WhatsApp Desktop and WhatsApp Web. The messages often look routine, but the attachment can open the door to a multi-stage infection.
The risk is amplified when the sender account has already been compromised. A familiar name in the chat can lower suspicion fast, making a harmful file seem like a normal invoice, bank statement, payment note, or debt notice.
Kaspersky said the campaign has reached users in Malaysia, Brazil, Singapore, Taiwan, and Vietnam, with the largest number of victims reported in Malaysia. Its Global Research and Analysis Team, or GReAT, observed the activity in June 2026.
| Observed detail | What it means |
|---|---|
| Delivery channel | WhatsApp Desktop and WhatsApp Web |
| Malicious file type | VBScript-based attachment |
| Countries affected | Malaysia, Brazil, Singapore, Taiwan, and Vietnam |
| Main risk | Remote administrative access and data theft |
How the disguise works
The file names were built to fit business routine, with labels such as invoice, bank report, account statement, payment record, and debt notification. Kaspersky also found versions in English, Portuguese, French, German, and Malay, which suggests a broad and deliberate targeting strategy.
Fareed Radzi from GReAT said the attack relies heavily on social engineering. The campaign takes advantage of user confidence in messaging platforms by sending the attachment from a contact that has already been hijacked.
What happens after the file is opened
Once the malicious file is opened, the infection begins quietly and moves through several stages. The initial script creates a working directory in Windows under C:UsersPublicDocuments.
From there, the script downloads additional files from an external server and runs them through Windows Script Host. The next stage pulls down a compressed archive that contains remote monitoring and management software.
That chain is built to stay hidden while the attacker works toward control of the device. When it reaches full execution, the threat goes beyond the initial infection and can give the attacker administrative access from afar.
With that access, an attacker can monitor activity, collect sensitive data, and control the device without the owner noticing. Kaspersky advised users not to open suspicious attachments even when they come from a trusted contact.
The company also warned against opening files with extensions such as .vbs, .vbe, .exe, .bat, .cmd, .js, or .ps1 before verifying they are legitimate. It further recommended using a security solution such as Kaspersky Premium to help detect and block threats before they spread to a device.