# WhatsApp Malware Campaign Delivering VBS Payloads and MSI Backdoors

* * *

## Executive Summary

In late February 2026, Microsoft Defender Experts detected a sophisticated attack campaign leveraging WhatsApp to distribute malicious Visual Basic Script (VBS) files to Windows users. Once a victim executes the file, a multi-stage infection chain is triggered, ultimately granting the attacker full system control via MSI backdoors. What makes this campaign particularly notable is its combination of **social engineering**, **Living-off-the-Land (LotL) techniques**, and **public cloud infrastructure** to evade security solutions.

* * *

## Threat Landscape

This campaign reflects a growing trend of abusing trusted communication platforms like WhatsApp to deliver malware. Rather than relying on traditional email phishing, attackers exploit the inherent trust users place in familiar messaging applications to lower their psychological defenses. Notably, **the lure content used to convince victims to open the VBS file has not yet been identified**.

* * *

## Detailed Attack Chain

The campaign unfolds across four distinct stages, each building the foundation for the next:

![](https://cdn.hashnode.com/uploads/covers/669e2578c18c3baa1b4fc070/eb77182f-f12b-4b03-a16a-2116b02c8289.png align="center")

### Stage 1 — Initial Access via WhatsApp

A malicious VBS file is sent directly through a WhatsApp message. Upon execution, the script:

*   Creates a hidden directory at `C:\ProgramData\EDS8738`
    
*   Copies and **renames legitimate Windows tools**: `curl.exe` → `netapi.dll`, `bitsadmin.exe` → `sc.exe`
    
*   The renamed files retain their original PE metadata (`OriginalFileName`), creating a detectable anomaly for EDR solutions
    

### Stage 2 — Cloud Payload Retrieval

Using the renamed binaries with downloader flags, the malware connects to reputable cloud services to fetch secondary payloads:

*   `auxs.vbs` and `WinUpdate_KB5034231.vbs` are hosted on **AWS S3**, **Tencent Cloud**, and **Backblaze B2**
    
*   This technique makes malicious requests appear as normal system traffic, making it extremely difficult to distinguish from legitimate activity
    

### Stage 3 — Privilege Escalation & Persistence

This is the most critical stage of the campaign:

*   The malware modifies the `ConsentPromptBehaviorAdmin` registry value to **disable UAC prompts**
    
*   It repeatedly attempts to launch `cmd.exe` with elevated privileges, looping until successful or forcibly interrupted
    
*   Persistence is written to `HKLM\Software\Microsoft\Win` to survive reboots
    
*   The entire privilege escalation process occurs **without any user interaction**
    

### Stage 4 — Final Backdoor Deployment

The final stage installs MSI packages that are **not digitally signed**:

| Filename | Description |
| --- | --- |
| `AnyDesk.msi` | Impersonates legitimate remote control software, establishes persistent access |
| `Setup.msi` | Generic backdoor installer |
| `WinRAR.msi` | Impersonates a popular archiving tool |
| `LinkPoint.msi` | Additional backdoor installer |

Through the fake AnyDesk installation, the attacker achieves **persistent remote access**, enabling data exfiltration, additional malware deployment, or enrollment of the system into a botnet.

* * *

## Technical Analysis

### MITRE ATT&CK Mapping

| Tactic | Technique | ID | Details |
| --- | --- | --- | --- |
| Initial Access | Phishing via Messaging Platform | T1566 | VBS delivered via WhatsApp |
| Execution | User Execution: Malicious File | T1204.002 | Victim manually executes VBS |
| Defense Evasion | Masquerading: Rename System Utilities | T1036.003 | curl.exe → netapi.dll |
| Defense Evasion | Abuse of Trusted Cloud Services | T1102 | AWS, Tencent, Backblaze |
| Privilege Escalation | Abuse Elevation Control: Bypass UAC | T1548.002 | Registry UAC bypass |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | HKLM registry modification |
| Command & Control | Remote Access Software | T1219 | AnyDesk backdoor |

### Evasion Highlights

This campaign is particularly dangerous due to the simultaneous use of multiple evasion techniques. The combination of legitimate Windows binaries (LotL) with cloud hosting renders signature-based and domain reputation-based security solutions largely ineffective. Furthermore, **delayed execution** and staged delivery help bypass sandbox behavioral analysis systems.

* * *

## Indicators of Compromise (IoCs)

### SHA-256 Hashes — VBS Scripts (Initial Stage)

| Hash | Description |
| --- | --- |
| `a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0` | Initial VBS from WhatsApp |
| `22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a` | Initial VBS from WhatsApp |

### SHA-256 Hashes — VBS Droppers (Cloud Stage)

| Hash | Description |
| --- | --- |
| `91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a` | Script from cloud storage |
| `1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c` | Script from cloud storage |
| `5cd4280b7b5a655b611702b574b0b48cd46d7729c9bbdfa907ca0afa55971662` | Script from cloud storage |
| `630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653` | Script from cloud storage |

### SHA-256 Hashes — MSI Installers (Final Payload)

| Hash | Description |
| --- | --- |
| `dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d` | MSI installer |
| `a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8` | MSI installer |
| `15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220` | MSI installer |

### URLs — Cloud Payload Hosting

| URL | Service |
| --- | --- |
| `hxxps[:]//bafauac.s3.ap-southeast-1.amazonaws[.]com` | Amazon S3 |
| `hxxps[:]//yifubafu.s3.ap-southeast-1.amazonaws[.]com` | Amazon S3 |
| `hxxps[:]//9ding.s3.ap-southeast-1.amazonaws[.]com` | Amazon S3 |
| `hxxps[:]//f005.backblazeb2.com/file/bsbbmks` | Backblaze B2 |
| `hxxps[:]sinjiabo-1398259625[.]cos.ap-singapore.myqcloud.com` | Tencent Cloud |

### C2 Domains

| Domain | Role |
| --- | --- |
| `Neescil[.]top` | Command & Control |
| `velthora[.]top` | Command & Control |

* * *

## Hunting Queries (Microsoft Defender / KQL)

The following queries were provided by Microsoft to hunt for related activity:

**Detect malicious VBS script execution:**

```kql
DeviceProcessEvents
| where InitiatingProcessFileName has "wscript.exe"
| where InitiatingProcessCommandLine has_all ("wscript.exe",".vbs")
| where ProcessCommandLine has_all ("ProgramData","-K","-s","-L","-o", "https:")
```

**Detect next-stage VBS payload retrieval:**

```kql
DeviceFileEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where FileName endswith ".vbs"
```

**Detect malicious MSI installer drop:**

```kql
DeviceFileEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where FileName endswith ".msi"
```

**Detect outbound C2 communication:**

```kql
DeviceNetworkEvents
| where InitiatingProcessFileName endswith ".dll"
| where InitiatingProcessVersionInfoOriginalFileName contains "curl.exe"
| where InitiatingProcessCommandLine has_all ("-s","-L","-o", "-k")
```

* * *

## Mitigation & Recommendations

### Endpoint Controls

*   **Restrict script hosts** in untrusted paths: `wscript.exe`, `cscript.exe`, `mshta.exe`
    
*   Monitor renamed Windows binaries executing with anomalous flags, especially `curl` and `bitsadmin` downloader flags
    
*   Enable **EDR in block mode** to neutralize malicious artifacts even when antivirus does not detect them
    

### Network & Cloud Monitoring

*   Audit and filter outbound traffic to public cloud services (AWS S3, Tencent Cloud, Backblaze B2) in enterprise contexts
    
*   Block connections to known C2 domains: `Neescil[.]top`, `velthora[.]top`
    

### Persistence Detection

*   Continuously monitor registry changes at `HKLM\Software\Microsoft\Win`
    
*   Alert on modifications to `ConsentPromptBehaviorAdmin` (indicator of UAC bypass)
    
*   Flag MSI package installations that lack valid digital signatures
    

### User Awareness

*   Train employees **never to open attachments** (especially `.vbs`, `.js`, `.bat`) received via messaging platforms such as WhatsApp — even from known contacts
    
*   Establish a clear incident reporting process for suspicious messages or files received via any communication channel
    

### Microsoft-Specific Recommendations

*   Enable **cloud-delivered protection** in Microsoft Defender Antivirus
    
*   Activate **Tamper Protection** combined with `DisableLocalAdminMerge`
    
*   Enable **Attack Surface Reduction (ASR) rules** to block LotL techniques
    

* * *

## Microsoft Defender Detections

| Tactic | Observed Activity | Detection Name |
| --- | --- | --- |
| Initial Access | Malicious VBS downloaded via WhatsApp | `Trojan:VBS/Obfuse.KPP!MTB` |
| Execution / Defense Evasion | Renaming `curl.exe`, `bitsadmin.exe` | `Suspicious curl behavior` |
| Privilege Escalation | Reading UAC settings, modifying registry | `Trojan:VBS/BypassUAC.PAA!MTB` |

* * *

## Analyst Assessment

This campaign demonstrates a high level of sophistication, integrating multiple evasion layers within a single, cohesive attack chain. The abuse of globally trusted cloud services (AWS, Tencent, Backblaze) reflects an emerging trend of **"living off trusted services"** — an evolution beyond traditional LotL techniques. While Microsoft has not publicly attributed this activity to a specific threat actor, the overall sophistication and use of AnyDesk as a persistent C2 mechanism strongly suggests this is the work of an **organized APT group or professional cybercrime operation** targeting enterprises. This campaign serves as a critical reminder that **no platform is inherently safe**, and enforcing a zero-trust policy toward all received files — regardless of the application used — is a non-negotiable requirement in today's enterprise security posture.

* * *

## Tham Khảo

1.  [WhatsApp malware campaign delivers VBScript and MSI backdoors](https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/)
    
2.  [WhatsApp malware campaign uses malicious VBS files to gain persistent access](https://www.csoonline.com/article/4153092/whatsapp-malware-campaign-uses-malicious-vbs-files-to-gain-persistent-access.html)
    
3.  [Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass](https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html)
