A campaign was observed that uses WhatsApp messages to deliver malicious Microsoft Visual Basic Script (VBS) files — an attack that relies on a combination of social media and living-off-the-land techniques to establish persistence and execute remote access.In a March 31 blog post, Microsoft Defender security researchers said that along with leveraging social engineering via WhatsApp, the campaign combines trusted platforms with legitimate tools to create stealth, thus increasing the likelihood of a successful breach.According to the researchers, the attackers use renamed Windows utilities to blend into normal activity, retrieve payloads from trusted cloud services such as AWS, Tencent Cloud and Backblaze B2, and then install malicious Microsoft Installer (MSI) packages to control the system.Dror Kashti, co-founder and CEO of Sweet Security, pointed out that attackers today aren’t breaking into environments, they’re blending into them. Kashti said this campaign shows how easily attackers can repurpose legitimate Windows utilities and trusted cloud services to carry out complex, multi-stage attacks that look and feel like normal system activity.
“Nothing in this attack is inherently malicious in isolation,” said Kashti. “The risk only becomes visible when you understand how these components behave together in real time — renamed binaries executing from hidden paths, unusual process chains, and persistent privilege escalation attempts. Without runtime visibility into Windows environments, organizations are left chasing artifacts after the fact, while attackers operate comfortably within what appears to be business as usual."Shane Barney, chief information security officer at Keeper Security, added that the attack was effective because it blends seamlessly into normal operations. Barney said it starts with a simple social-engineering tactic over WhatsApp, but quickly shifts into something far more difficult to detect by relying on legitimate system tools and trusted cloud infrastructure.“The real issue is what happens after execution,” said Barney. “If those tools can run with elevated privileges or transition into privileged access without strong controls, the attacker can establish persistence and remote access very quickly. At that point, the activity looks like normal administrative behavior, which reduces the effectiveness of traditional detection.”Kevin Surace, chair at TokenCore, said security teams should treat this case with WhatsApp and trusted platforms as an application control and endpoint hardening problem, not just a script blocking problem. Surace said Microsoft recommends using Defender for Endpoint in block mode, enabling network protection and web protection, and turning on attack surface reduction rules that block obfuscated scripts and prevent JavaScript or VBScript from launching downloaded executable content.“Those steps directly target the infection chain this campaign relies on,” said Surace. Beyond that, Surace said teams should take the following steps:“Microsoft utilities should no longer be treated as automatically trustworthy just because they are legitimate binaries,” said Surace. “Attackers increasingly abuse native tools because they know defenders are less likely to challenge them, and Microsoft’s own writeup shows renamed legitimate utilities being used as part of the attack chain. Trust has to become contextual, not brand based.”
“Nothing in this attack is inherently malicious in isolation,” said Kashti. “The risk only becomes visible when you understand how these components behave together in real time — renamed binaries executing from hidden paths, unusual process chains, and persistent privilege escalation attempts. Without runtime visibility into Windows environments, organizations are left chasing artifacts after the fact, while attackers operate comfortably within what appears to be business as usual."Shane Barney, chief information security officer at Keeper Security, added that the attack was effective because it blends seamlessly into normal operations. Barney said it starts with a simple social-engineering tactic over WhatsApp, but quickly shifts into something far more difficult to detect by relying on legitimate system tools and trusted cloud infrastructure.“The real issue is what happens after execution,” said Barney. “If those tools can run with elevated privileges or transition into privileged access without strong controls, the attacker can establish persistence and remote access very quickly. At that point, the activity looks like normal administrative behavior, which reduces the effectiveness of traditional detection.”Kevin Surace, chair at TokenCore, said security teams should treat this case with WhatsApp and trusted platforms as an application control and endpoint hardening problem, not just a script blocking problem. Surace said Microsoft recommends using Defender for Endpoint in block mode, enabling network protection and web protection, and turning on attack surface reduction rules that block obfuscated scripts and prevent JavaScript or VBScript from launching downloaded executable content.“Those steps directly target the infection chain this campaign relies on,” said Surace. Beyond that, Surace said teams should take the following steps:
- Lock down MSI execution.
- Monitor for renamed system binaries whose file metadata does not match the filename, alert on suspicious registry modifications under sensitive HKLM paths.
- Restrict or closely monitor remote access tool installs such as AnyDesk.
- Use AppLocker or Windows Defender Application Control in high-risk environments to constrain which scripts, MSI packages, DLLs, and utilities are allowed to run at all.
