> Back to All Posts

WhatsApp Phishing Attack Spreads Via Fake Docs

WhatsApp phishing attack

A WhatsApp phishing attack is currently spreading across at least 11 countries, and it is more convincing than most. The messages arrive from people you know. The attachments look like invoices, financial reports, or account notices. And if you open one on a Windows PC, attackers can quietly take full control of your machine.

Cybersecurity researchers have identified an active campaign in which attackers use compromised WhatsApp accounts to send malicious files to the account holders’ contacts. The files are VBScript attachments (.vbs), a Windows scripting format, disguised as routine business documents. Victims in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia have already been affected, with Malaysia accounting for the largest share of observed infections.

How the WhatsApp Phishing Attack Works

The attack starts the moment a victim opens the file. On WhatsApp Web, the user has to download the attachment first and then open it manually. On the WhatsApp Desktop app, however, the script can run directly inside the application, making it even easier for the infection to begin without the user realizing anything is wrong.

Once the VBScript executes, it connects to attacker-controlled servers and pulls down two additional scripts. The first one tampers with a Windows security setting called User Account Control, or UAC. UAC normally prompts users before allowing software to make significant changes to a system. By modifying a registry key that controls UAC behavior, the malware reduces or eliminates those prompts, clearing a path for what comes next.

The second script downloads a ZIP archive containing a full installation package for ManageEngine Endpoint Central, a legitimate IT management platform used by enterprise teams to monitor and manage devices remotely. In this attack, the software is silently installed in the background and configured to connect to servers controlled by the attackers rather than any legitimate management console. The result is persistent, stealthy remote access to the victim’s PC.

Why This Attack Is Hard to Spot

Several design choices make this WhatsApp phishing attack particularly difficult to detect.

The files use names like “Financial Reports.vbs,” “Account Statement.vbs,” and “Outstanding Payment List.vbs,” formatted to look like something a colleague or business contact might genuinely send. Researchers also found localized versions of the filenames in Portuguese, French, German, and Malay, suggesting the campaign is tailored to fit different regions rather than broadcast carelessly.

The messages arrive from real, compromised accounts belonging to people in the victim’s contact list. There is no unknown sender to trigger suspicion. The embedded VBScript code also contains extensive comments written to mimic legitimate Windows Update components, with many annotations written in Chinese. That detail, combined with infrastructure overlaps with malware families known as ValleyRAT and Gh0st RAT, has led researchers to suggest a possible connection to Chinese-speaking threat actors. Attribution, however, remains unconfirmed.

The use of ManageEngine Endpoint Central as the final payload is itself a deliberate evasion strategy. Because it is commercially available, signed software, security tools may not flag its installation as malicious. It blends in.

What You Should Do

The most important thing to understand about this WhatsApp phishing attack is that trusting the sender is not enough. Compromised accounts do not display any warning signs. A message from a contact you have known for years can still carry a malicious file.

Never open a .vbs file received through a messaging app. VBScript is a Windows scripting format with no legitimate reason to appear as a business document attachment. If a contact sends you something unexpected, verify it through a separate channel before downloading or opening anything.

Windows users should also check whether Windows Script Host, the component responsible for running .vbs files, is disabled on their device if they have no reason to use it. Organizations can go further by restricting script execution across endpoints, monitoring for unauthorized installations of remote management tools, and alerting on any system that connects to unfamiliar management servers.

Researchers note that how the WhatsApp accounts were initially compromised remains unknown. That gap matters, because it means there is no clear starting point users can trace back and avoid.

Final Thoughts

This campaign is a clear example of how attackers adapt when email phishing becomes harder to pull off. Messaging platforms carry an inherent trust that email no longer does, and that trust is now being weaponized. The file arrives from a contact, carries a plausible name, and installs software that most security tools are not built to flag. That combination is effective precisely because it looks so ordinary. If you use WhatsApp on a Windows PC, treat any unexpected file attachment, regardless of who sent it, as a potential threat until you can confirm otherwise through a separate channel.

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.