Security researchers at Kaspersky disclosed an active phishing campaign using compromised WhatsApp accounts to distribute malware across multiple countries spanning several continents. The campaign delivers Visual Basic Script (VBScript) payloads disguised as business documents—invoices, contracts, payroll records—that, when executed, install ManageEngine’s remote monitoring and management (RMM) software on victim machines. That gives attackers persistent remote access through a tool most IT security stacks treat as trusted. The campaign was active as of June 23, 2026.
How the Attack Works
Attackers send files from compromised WhatsApp accounts to the victim’s contacts using WhatsApp’s file-sharing features. Recipients believe the message comes from a known sender. When they download and open the attached file, a VBScript triggers a multi-stage infection chain that ends with ManageEngine’s RMM tool running on the system.
The attack’s effectiveness comes down to trust. Security awareness training tells users to treat links and attachments from unknown senders with suspicion—but a message from a contact’s phone number clears that filter automatically. Recipients have no easy way to know the account sending it has been compromised without verifying through a separate channel.
Why VBScript Delivery Lets the WhatsApp Campaign Bypass Windows Script Defenses
VBScript is enabled by default on most Windows systems and appears regularly in legitimate enterprise automation, so execution is less likely to raise immediate suspicion. Business environments running mixed Windows versions or legacy configurations with Windows Script Host active are particularly exposed. Security teams in affected regions should review Windows Script Host policies and assess whether disabling VBScript execution is feasible where no legitimate business use case exists.
The ManageEngine Misdirection
The final payload is not custom malware—it is authentic ManageEngine RMM software. That choice is deliberate. Legitimate RMM tools are widely whitelisted by enterprise security stacks and excluded from behavioral analysis because IT administrators use them daily for patch distribution, remote support, and network monitoring. By installing genuine software, attackers blend their access with normal IT activity and sidestep endpoint detection that would flag a custom backdoor.
This “living off the land” approach—co-opting legitimate administrative tools for unauthorized access—has become a defining feature of sophisticated intrusion campaigns. The difference here is the delivery vector: WhatsApp, not a corporate email gateway.
A Gap in Enterprise Detection Coverage
Traditional email security gateways scan attachments and flag malicious files. Organizations have had years to mature those controls. WhatsApp traffic bypasses email security entirely, and endpoint policies are often not configured to monitor file downloads from consumer messaging apps. Organizations that allow WhatsApp on business or BYOD devices should verify whether MDM policies restrict file downloads and script execution from messaging platforms.
How WhatsApp’s File-Sharing Features Evade the Email Gateways Designed to Stop Malicious Attachments
Kaspersky recommends disabling file downloads from untrusted WhatsApp contacts, training users to confirm unexpected file requests through a separate channel before downloading, and auditing all ManageEngine Endpoint Central installations against known IT deployment windows. Security teams should implement continuous monitoring for anomalous RMM behavior, including unexpected outbound connections, lateral movement attempts, privilege escalation events, and scheduled task creation that does not align with known administrative activity. Any unauthorized ManageEngine installation should be treated as a confirmed breach requiring immediate containment, forensic investigation, and credential resets across all systems the attacker could have accessed.
Infection chain: Compromised WhatsApp account → malicious file attachment → VBScript execution → ManageEngine RMM installation → persistent remote access.
Identified by: Kaspersky.
Status: Campaign active as of June 23, 2026.
