You get a WhatsApp message from someone you know. No small talk—just a file that looks like a routine business doc: an invoice, a report, an “account notice.” You think, “It’s probably fine.” That’s the whole setup. In June 2026, Kaspersky reported a WhatsApp phishing campaign where compromised accounts push a heavily obfuscated VBScript file that can kick off a Windows infection chain and end with a legit IT admin tool—ManageEngine Endpoint Central—quietly installed and calling back to attacker-controlled servers for remote control.
What the attacker is really sending (and why it works)
What lands in your WhatsApp chat isn’t some sketchy “hacker tool.” It’s usually a single attachment that looks like everyday work: a billing statement, a financial report, an “account notice.” Kaspersky’s reporting (as covered in the June 2026 write-up) describes messages that show up with no real conversation, just a heavily obfuscated VBScript (.vbs) file and a filename meant to feel routine.
That small detail is the whole trick: it doesn’t feel like a “phishing message.” It feels like something you’d open to keep work moving.
The real payload is trust, not the file
This campaign leans on a psychological shortcut most of us use all day:
- The sender looks familiar. Kaspersky concluded the threat actor gained access to real WhatsApp accounts and used them to message people already in the victim’s contact list.
- The filename matches real life. The attachments are named like common business docs—billing statements, account notices, financial reports—things people open on autopilot.
- The language matches the target. Filenames were localized across multiple languages, which helps the file blend in even more.
This is why “I know the person” isn’t a safety check anymore. If their account is compromised, their name becomes the attacker’s best social engineering tool.
This isn’t a weird one-off
Kaspersky telemetry shows the WhatsApp phishing campaign hitting users across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
That mix matters: it signals a campaign that’s been operationalized, not a single-region scam that fizzles out.
Why an obfuscated VBScript is such a good disguise
A VBScript file is small, easy to send, and on many Windows systems it can run via Windows Script Host. Obfuscation makes it harder for a person (and sometimes security tools) to quickly spot what it’s doing by just looking at it. Kaspersky describes the initial file as “heavily obfuscated,” sent as the only content in the message.
And the filename does the rest. If you’ve ever opened an “invoice” without thinking because you were mid-task, you already understand why it works.
The Windows infection chain, in plain English: VBS → scripts → weakened UAC → ZIP → ManageEngine
Once that .VBS file runs, the “invoice” is basically out of the picture. What matters is the chain it kicks off on Windows.
Here’s the flow Kaspersky described, step by step.
1) Obfuscated VBS runs and phones home
The initial VBScript is heavily obfuscated, but its job is simple: reach out to attacker infrastructure and pull down the next stage.
You won’t necessarily see a window pop up. That’s part of why this works.
2) VBS fetches more scripts (the real setup work)
Kaspersky notes the VBScript fetches two additional scripts from the attacker’s side.
Think of these like “helpers” that prepare the system for a clean install of the final tool.
3) UAC gets weakened via Registry changes
Next, those scripts disable UAC protections using Registry modifications.
Quick translation:
- User Account Control (UAC) is the Windows “are you sure?” layer that often blocks silent, high-impact changes.
- Weakening it makes it easier to install software quietly, with fewer prompts that might spook the user.
4) A ZIP is downloaded
After UAC is weakened, the chain downloads a ZIP archive.
That ZIP isn’t some random malware bundle. It contains something that can look completely normal in a business environment.
5) ManageEngine Endpoint Central is installed silently
The ZIP includes ManageEngine Endpoint Central, a legitimate IT admin tool. Kaspersky says it’s silently installed in the background and configured to connect to attacker-controlled management servers.
The twist: the “payload” is a legit remote management tool
This is the part defenders hate.
Because Endpoint Central is used by real IT teams, it can blend in as “just another admin agent.” At that point, the attacker isn’t fighting to keep a flimsy backdoor alive. They’re sitting on durable remote administration access through a tool that already knows how to manage endpoints at scale.
WhatsApp Web vs Desktop: same message, different danger level
Once you know the end goal is remote access on a Windows machine, the delivery method starts to matter a lot. Kaspersky called out a key difference between WhatsApp Web and the WhatsApp Desktop client that changes how “easy” the attack is to trigger.
WhatsApp Web: there’s at least some friction
With WhatsApp Web, the VBScript attachment has to be downloaded and then opened.
That’s not safety. It’s just a couple extra steps where something can feel “off”:
- You see it land in your Downloads folder
- You might notice the file extension (.vbs)
- Your endpoint protection has a chance to scan it before you double-click
A lot of attacks fail in these boring moments because people hesitate for two seconds.
WhatsApp Desktop: direct execution is the problem
Kaspersky notes that in the WhatsApp Desktop app, the same file can be executed directly via Windows Script Host (wscript.exe).
This is the scary part: fewer decision points.
When a script runs through wscript.exe, it can look like “something Windows just did,” not “something I installed.” For non-technical users, that’s the difference between stopping and clicking through.
Why this difference changes real-world risk
In practical terms, Desktop execution tends to mean:
- Less time to think (“I’ll just open it quick”)
- Less visibility into what’s happening (scripts can run with minimal UI)
- More successful infections because the path from click → code running is shorter
If you’re setting policy in a company, this one detail is a big deal. You’re not just dealing with WhatsApp phishing. You’re dealing with script execution on Windows through a commonly used chat client.
What to do Monday morning: prevention + detection that actually maps to this attack
The scary part of this campaign is how little “malware-looking” behavior you get upfront. So the response has to be boring, repeatable, and aimed at the exact choke points Kaspersky called out: the message, the script engine, and the remote admin foothold.
For individuals and teams: stop it before it runs
These steps sound simple because they are. They work because they break the attack’s timing.
- Verify attachments through a second channel
Kaspersky explicitly advises treating files sent by contacts (even trusted ones) with caution and verifying them through secondary means.
A quick phone call or a new message thread (“Did you mean to send a .vbs?”) beats any antivirus.
- Scan downloads before opening
Kaspersky also recommends scanning downloaded files with an up-to-date antivirus before executing.
If your team uses Windows Defender, make it normal to right-click → scan. If you use another endpoint tool, same habit.
- Treat “script files” as a red flag
If someone in Accounts Payable is getting an “invoice” as .vbs, that’s not normal business. It’s a sign you should stop and ask questions.
For IT/security: controls that match this chain
You’re dealing with a Windows script-driven install that ends in remote management access. Build your controls around that.
- Restrict Windows Script Host where you can
Since the WhatsApp Desktop path can execute via Windows Script Host (wscript.exe), limiting WSH cuts off a big part of the risk.
Options vary by org, but the intent is consistent: only allow scripts where there’s a real business need, and block them everywhere else.
- Hunt for unexpected ManageEngine Endpoint Central installs
This attack ends with Endpoint Central set up for remote administration.
Practical checks:
- Inventory: “Is Endpoint Central installed on machines that shouldn’t have it?”
- Change control: “Was this install approved and ticketed?”
- New service/software alerts: trigger when Endpoint Central components appear on endpoints outside your standard rollout.
- Watch outbound traffic like it’s a siren
Kaspersky notes the tool is configured to connect to attacker-controlled management servers.
That means network detection can help even when the endpoint looks “legit”:
- Alert on new, unusual outbound connections from user workstations that normally don’t talk to remote management infrastructure
- Correlate with recent script execution events (wscript.exe) to cut false positives
One practical privacy angle (that also reduces attack surface)
A lot of these chains start because an attacker can reach you where you’re most likely to act fast: your personal phone number and your everyday chat threads. If your workflows involve sharing numbers widely (vendors, contractors, short-term partners), tools like Cloaked can help by giving you masked phone numbers and identities so you’re not handing out the same permanent number everywhere. It doesn’t “solve” malware, but it can reduce how often random inbound WhatsApp contact attempts reach your real line in the first place.


