WhatsApp Phishing Campaign Turns Business-Looking Files into Remote Access Trojans
By Mag-Info Tech editorial · 2026-06-23
A WhatsApp phishing wave weaponizes everyday business files
A widespread phishing campaign is abusing WhatsApp to deliver malicious VBScript files that look like routine business documents such as invoices, financial reports, and account notices. The messages originate from accounts that attackers have already compromised, so recipients see them as coming from trusted contacts. When a user downloads and opens the file on a Windows PC, the infection chain installs legitimate remote-management software—ManageEngine Endpoint Central—under the attacker’s control, effectively handing over remote access to the machine. The campaign spans multiple countries and languages, indicating a coordinated, global operation aimed at both consumers and professionals who rely on WhatsApp for work communication.
WhatsApp is widely used for quick business exchanges, so attackers exploit this trust by sending files with names like “Billing_Statement_Q3.vbs,” “Invoice_2024_001.vbs,” or localized equivalents in Spanish, Portuguese, Hindi, and other languages. The filenames are chosen to trigger immediate interest and bypass suspicion. Once the file is executed, the VBScript fetches additional scripts from attacker-controlled servers, modifies Windows Registry settings to weaken User Account Control protections, and downloads a ZIP archive containing ManageEngine Endpoint Central. The software installs silently and reconfigures itself to connect to servers operated by the attackers, turning a common IT administration tool into a backdoor.
How the infection chain bypasses built-in defenses
The campaign’s success hinges on a sequence of steps that evade or disable multiple layers of Windows security. After the victim runs the VBScript, the first-stage payload retrieves two additional scripts from the attacker’s infrastructure. These scripts disable User Account Control (UAC) by editing the Windows Registry, reducing the number of prompts that would normally warn the user before system changes. Next, the VBScript downloads a ZIP archive containing ManageEngine Endpoint Central, a legitimate remote management product commonly used by IT teams to deploy updates and monitor endpoints. The attackers repurpose this tool so it connects to their own management servers instead of the legitimate ones, giving them full remote control of the infected machine.
The infection process differs slightly depending on how the user opens the file. If the malicious VBScript arrives via WhatsApp Web and is downloaded to the computer, the user must manually open and execute it. If the same file is opened directly in the WhatsApp Desktop client, it can run automatically through Windows Script Host (wscript.exe), streamlining the attack and reducing the chance of user intervention. This dual-delivery method increases the campaign’s reach across different user behaviors and software configurations. The use of a legitimate remote-management suite also complicates detection, because the software and its network traffic resemble normal IT administration activity.
Global footprint and localized lures show scale and sophistication
Telemetry from cybersecurity research indicates that the campaign has spread across Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Filenames and message content are localized to each region, with language-specific terms for invoices, tax notices, and account statements. This localization suggests the attackers have invested in infrastructure and translation to maximize the chances of deception in each market. The fact that compromised WhatsApp accounts are used to send the malicious files further increases credibility, since recipients see messages from people they know rather than random strangers.
The global distribution also points to a well-resourced operation capable of maintaining multiple command-and-control servers, generating localized filenames, and adapting to regional business terminology. The attackers do not appear to rely on a single language or region, which makes the campaign harder to block at scale. Security vendors must update detection rules quickly to catch new filename patterns and hashes, while organizations need to recognize that trusted contacts can unwittingly become attack vectors. The campaign’s reliance on legitimate software like ManageEngine Endpoint Central also means traditional antivirus may not flag the installation unless behavioral monitoring or application control is in place.
Why ManageEngine Endpoint Central becomes a backdoor
ManageEngine Endpoint Central is a real IT administration tool designed to automate software deployment, patch management, and remote troubleshooting. In this campaign, attackers abuse its installation process and built-in remote-control features to establish persistent access. After the software is silently installed, it is configured to connect to attacker-controlled management servers instead of the legitimate ones. Once connected, the attackers can issue commands, transfer files, and monitor activity just as a legitimate IT administrator would. Because the software is digitally signed and commonly used in enterprise environments, its network traffic and processes can blend in with normal IT operations, making it difficult to detect without specialized monitoring.
The misuse of ManageEngine Endpoint Central highlights a broader trend: attackers increasingly leverage legitimate tools to achieve malicious goals. This technique, known as “living-off-the-land,” reduces the need to deploy custom malware and lowers the chance of detection by antivirus engines that trust commonly whitelisted applications. In this case, the attackers do not need to write complex remote-access Trojans; they simply repurpose a tool already present in many organizations. The campaign also shows how attackers chain multiple legitimate components—a VBScript downloader, registry edits, and a remote-management suite—to achieve full system compromise without triggering most endpoint defenses.
Real results from MEFAI's AI. Get $50 off the Pro plan.
Sponsored · Past performance is not indicative of future results. Not financial advice.
User behavior and software configuration affect risk
The attack surface depends partly on how users interact with WhatsApp and Windows. Users who rely on WhatsApp Desktop are at higher risk of automatic execution via wscript.exe, while those using WhatsApp Web must manually download and open the file, creating an extra barrier. Windows configurations with User Account Control set to the default “Notify me” level are more likely to show a prompt before the registry changes take effect, potentially alerting the user. Conversely, systems with UAC disabled or set to silent approval are more vulnerable because the attackers’ registry edits can proceed without interruption.
File-handling habits also influence risk. Users who routinely open attachments from contacts without verifying the content or filename are prime targets. The campaign’s reliance on business-themed filenames means professionals who expect invoices or statements are more likely to open the file without suspicion. Organizations that enforce application control, application whitelisting, or script-blocking policies can prevent the VBScript from running in the first place. Endpoint detection and response tools that monitor for unusual ManageEngine Endpoint Central installations or unexpected connections to remote management servers can also flag the activity early.
Detection gaps and the challenge for security teams
Traditional signature-based antivirus may catch the initial VBScript if it is known, but the campaign’s use of obfuscation and rapid file changes can help the malicious payload evade detection. Behavioral monitoring that looks for script execution followed by remote-management software installation, or network monitoring that detects connections to unknown management servers, are more likely to identify the threat. Security teams should also watch for unusual ManageEngine Endpoint Central deployments, especially if the software is configured to connect to external servers not on the organization’s approved list.
Telemetry from endpoint detection platforms can help correlate events across machines, identifying when multiple systems suddenly install the same remote-management software from an unexpected source. Automated response playbooks should include steps to quarantine the machine, revoke any unauthorized remote-control sessions, and investigate the scope of compromise. Given that compromised WhatsApp accounts are used to spread the malware, organizations should also warn employees about the risk and encourage verification of unexpected file attachments, even when they appear to come from trusted contacts.
Practical steps to reduce risk
Individual users can lower their exposure by disabling automatic execution of VBScript files through Group Policy or registry settings, which prevents wscript.exe from running scripts without explicit user action. Keeping Windows and security software updated ensures that known vulnerabilities and script-handling behaviors are patched. Users should also verify any unexpected business document with the sender through a separate channel before opening it, especially if the message contains only a file attachment.
Organizations should implement application control policies that block unsigned or unexpected scripts from running, and deploy endpoint detection and response tools that monitor for living-off-the-land techniques. Application allowlisting can prevent ManageEngine Endpoint Central from being installed unless it comes from an approved source. Network segmentation and monitoring of remote-management traffic can detect when internal machines connect to unknown servers. Security awareness training should emphasize that trusted contacts can be compromised and that business-themed attachments always warrant verification.
What to watch next
Security researchers are likely to uncover additional variants as attackers refine filenames, delivery methods, and evasion techniques. The use of legitimate remote-management tools suggests the campaign may expand to other products in the same category, so defenders should monitor for unexpected installations of similar software. The compromise of WhatsApp accounts also raises questions about how attackers are gaining access—whether through credential theft, session hijacking, or malware on mobile devices—and whether similar tactics will appear on other messaging platforms.
For users and organizations, the key takeaway is that social engineering combined with living-off-the-land tactics remains a potent threat. Defenses must evolve beyond simple file scanning to include behavioral monitoring, application control, and user verification workflows. As attackers continue to blend malicious activity with legitimate tools, the line between normal IT operations and compromise will keep blurring, making layered defenses and rapid response essential.
More in Cybersecurity & Privacy
Cisco Unified CM SSRF Flaw Now Under Active Exploitation — What Enterprises Need to Do
Cisco Unified CM’s high-severity SSRF flaw (CVE-2026-20230) is now being exploited in the wild, enabling attackers to write files and potentially gain root access. Organizations must patch immediately
Tata Electronics Cyberattack: What Happened, What Was Stolen, and What It Means for Apple and India’s Semiconductor Push
India’s Tata Electronics confirms a cyberattack after World Leaks threatens to leak internal Apple iPhone schematics and PCB designs.
Windows 11’s New Point-in-Time Restore: What It Does, How to Use It, and Why It Matters
Microsoft’s KB5095093 update adds Point-in-Time Restore to Windows 11, letting users roll back the OS, apps, and files to a recent snapshot in minutes—no full image backup required.