'By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution': Microsoft warns WhatsApp users to exercise extra caution — or pay the price

• WhatsApp files deliver VBS malware that silently installs and gains full control
• Hidden folders and renamed Windows tools let attackers blend into normal operations
• Malware retrieves secondary scripts from trusted cloud services to avoid detection

Microsoft has identified a multi-stage malware campaign that uses WhatsApp to deliver Visual Basic Script (VBS) files and exploits the trust users place in familiar messaging platforms.

Attackers send files that appear harmless through WhatsApp, but opening them triggers a silent installation that grants hidden system control to adversaries.

Once executed, the scripts create concealed folders under C:\ProgramData and drop renamed versions of legitimate Windows utilities, such as curl.exe renamed to netapi.dll and bitsadmin.exe renamed to sc.exe.

Attackers hide malware inside normal system tools

By embedding these tools in normal system paths, attackers ensure the tools blend into routine operations while security solutions can still detect the original metadata.

The malware alters system settings to launch automatically after every reboot, ensuring survival even when users believe they removed the threat.

Microsoft warns that this approach combines social engineering with living-off-the-land techniques and increases successful execution without raising immediate alerts.

“By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution,” Microsoft said in a blog post.

After the initial infection, the malware retrieves secondary payloads from cloud services, including AWS S3, Tencent Cloud, and Backblaze B2.

These droppers, delivered as auxs.vbs and WinUpdate_KB5034231.vbs, exploit trusted cloud infrastructure and disguise malicious downloads as legitimate network traffic.

The malware also modifies User Account Control settings and repeatedly attempts to run cmd.exe with elevated privileges until it succeeds.

The malware alters registry entries under HKLM\Software\Microsoft\Win to suppress UAC prompts and grant administrative rights without user awareness.

In the final stage, attackers deploy malicious Microsoft Installer (MSI) files such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi onto compromised systems.

These unsigned installers give attackers persistent remote access and enable data theft, additional malware deployment, or integration of infected machines into botnets.

Microsoft recommends monitoring repeated tampering with UAC and registry modifications as key indicators of compromise.

Organizations should restrict execution of script hosts, monitor renamed system utilities, and educate users about social engineering tactics.

Microsoft emphasizes the importance of cloud-delivered protection, tamper protection, and endpoint detection and response operating in block mode.

Security teams must monitor cloud traffic closely, as conventional detection methods may struggle to distinguish these operations from routine enterprise activity.

AI tools can help analyze behavioral anomalies, correlate telemetry, and identify suspicious WhatsApp attachments.

Failing to exercise caution can result in permanent data loss, as attackers gain full device control and access to sensitive personal information.

Microsoft stresses that even a single careless click could allow this malware to bypass ordinary endpoint protections.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.