Summary

Microsoft has issued a warning about a new malware campaign that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. This campaign, which began in late February 2026, employs these scripts to execute a multi-stage infection process that establishes persistence and enables remote access on Windows systems.

Key Points

• The campaign started in late February 2026.
• Malicious VBS files are distributed via WhatsApp messages.
• The malware uses a multi-stage infection chain.
• The attack exploits a User Account Control (UAC) bypass to gain control over Windows systems.
• Microsoft has highlighted this threat but has not detailed the specific lures used by attackers.

Analysis

This malware campaign is significant due to its use of a popular messaging platform, WhatsApp, to deliver malicious payloads, potentially affecting a large number of users. The exploitation of a UAC bypass is particularly concerning as it allows the malware to gain elevated privileges on Windows systems, making it a critical threat that can lead to unauthorized remote access and persistence.

Conclusion

IT professionals should educate users about the risks of opening unsolicited messages and attachments, especially those received via WhatsApp. Implementing robust endpoint protection and monitoring for unusual script execution can help mitigate this threat.