In February 2026, Microsoft Security Experts observed a malware distribution campaign where malicious files were distributed via WhatsApp. Once executed by the user, VBScript scripts enabled a multi-stage infection chain that created hidden files, renamed legitimate Windows tools to mask them, and downloaded secondary payloads from reliable cloud services such as AWS S3, Tencent Cloud, and Backblaze B2. The malware ultimately installed MSI packages to establish persistence in the system, facilitating continuous remote access without obvious detection.
WhatsApp malware campaign delivers VBScript and MSI backdoors
Summary: Microsoft reports a campaign using WhatsApp to distribute malware based on VBS and MSI, establishing backdoors in users' systems.
Key facts
- A malware campaign began in February 2026.
- Malware was distributed via WhatsApp, using VBS scripts to create a multi-stage infection chain.
- Scripts created hidden files and renamed legitimate Windows tools.
- Secondary payloads were downloaded from reliable cloud services.
- The malware installed MSI packages to establish persistence.
Why it matters
This threat highlights the need for constant monitoring of popular messaging platforms and the importance of using security solutions that can detect these advanced techniques.