Targeting WhatsApp Desktop and WhatsApp Web users, the crimeware campaign distributes malicious VBScript files via direct messages on the platform. Victims have been identified across multiple countries and territories, including Malaysia, Brazil, Singapore, Taiwan and Vietnam, with the highest number of observed victims located in Malaysia. The use of multiple languages in file names also points to broad regional targeting, especially across Europe.
The campaign was revealed in June 2026 by Kaspersky Global Research and Analysis Team (GReAT). According to their research, the crimeware actor uses WhatsApp accounts that have been previously compromised to distribute malicious attachments. The messages are sent from those accounts’ existing contacts, which increases the likelihood that recipients will view the files. Once installed, the malware enables remote access to the system through standard administrative capabilities intended for legitimate IT support and management use.
The social engineering component relies on file names designed to resemble routine business documents. Observed examples include invoices, bank statements, account statements, payment records, and debt notices. File names are also localized into multiple languages, including English, Portuguese, French, German, and Malay, indicating distribution across different language regions. In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components.
