← Back to blog

WhatsApp Campaign Distributes Malicious VBScript to Install RMM Tools

Attackers are leveraging WhatsApp Desktop and Web to distribute VBScript files disguised as legitimate documents, leading to unauthorized installation of ManageEngine RMM software. The campaign, identified by Kaspersky, targets users across multiple countries including Malaysia, Brazil, India, and the UK.

TL;DR

  • Malicious VBScript files are being distributed via WhatsApp Direct Messages to install ManageEngine RMM tools without user consent
  • Campaign targets WhatsApp Desktop and Web users across at least nine countries, indicating broad geographic scope
  • Attackers use fake document lures to trick users into executing scripts that compromise system access and monitoring capabilities
  • RMM tool abuse enables attackers to gain persistent remote access and control over compromised endpoints

A coordinated campaign is actively exploiting WhatsApp's messaging platform to distribute malicious VBScript files that lead to unauthorized installation of legitimate Remote Monitoring and Management (RMM) software. Security researchers at Kaspersky have identified the threat targeting both WhatsApp Desktop and Web clients across multiple geographic regions.

The attack chain relies on social engineering tactics, with threat actors sending direct messages containing files disguised as benign documents. When executed, these scripts silently install ManageEngine RMM tools, granting attackers remote access and persistent control over victim systems. This technique represents a growing trend of weaponizing legitimate administrative tools for malicious purposes.

The widespread geographic distribution of targets—spanning Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, and Australia—suggests either a large-scale operation or multiple threat actors using similar tactics.

Attack Mechanism and Delivery

  • Threat actors distribute VBScript files through WhatsApp Direct Messages to both Desktop and Web users
  • Malicious files are disguised as legitimate documents to bypass user suspicion and security awareness
  • VBScript execution leads to automated installation of ManageEngine RMM software without explicit user authorization
  • The use of WhatsApp as a delivery vector exploits the platform's trust and accessibility among business users

Risk and Impact Assessment

  • Successful compromise grants attackers remote monitoring and management capabilities over affected systems
  • RMM tool abuse enables lateral movement, data exfiltration, and persistent backdoor access
  • Victims may be unaware of the compromise, allowing attackers to operate undetected for extended periods
  • Campaign targets multiple countries, indicating potential for supply chain attacks or targeted espionage operations

Defensive Recommendations

  • Implement application whitelisting policies to restrict execution of unauthorized scripts and RMM tools
  • Educate users on risks of executing files received via messaging platforms, especially from unknown contacts
  • Monitor for unexpected RMM tool installations and network connections to suspicious command-and-control servers
  • Enforce endpoint detection and response (EDR) solutions to identify and block VBScript execution anomalies
  • Review and restrict administrative tool permissions to limit lateral movement if compromise occurs

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

WhatsApp Campaign Distributes Malicious VBScript to Install RMM Tools — Agent Breach Blog | Agent Breach