Kaspersky, a cybersecurity company, has identified a malware campaign that distributes malicious files to WhatsApp Desktop and WhatsApp Web users through direct messages. The campaign was uncovered in June 2026 by Kaspersky's Global Research and Analysis Team, known as GReAT, which found victims across multiple countries and territories, with the highest number of observed cases located in Malaysia. Other affected countries include Brazil, Singapore, Taiwan and Vietnam, and file names appearing in multiple languages point to targeting across European regions as well.
According to Kaspersky's research, the attackers behind the campaign use WhatsApp accounts that had already been compromised to send malicious attachments to the accounts' existing contacts. Sending messages from familiar contacts increases the likelihood that recipients open the files. Once a victim runs the file, the malware grants remote access to the system through administrative tools normally used for legitimate IT support.
The social engineering behind the campaign relies on file names designed to resemble routine business documents, including invoices, bank statements, account statements, payment records and debt notices. These file names appear in English, Portuguese, French, German and Malay, indicating that the campaign is targeting users across different language regions. The malicious VBScript files also contain extensive comments and metadata designed to make them appear as legitimate Microsoft Windows Update components.
Fareed Radzi, security researcher at Kaspersky GReAT, described how the campaign exploits trust between contacts:
"In this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localized across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure."
Once a victim opens the file, it triggers a multi-stage infection process. The initial script creates a working directory under C:\Users\Public\Documents, then retrieves additional script files from external infrastructure and runs them using Windows Script Host. Those follow-up scripts carry out further actions on the system and download a compressed archive from the same infrastructure, which contains an installation package for remote monitoring and management software.
Kaspersky GReAT recommends that users treat unexpected WhatsApp attachments with caution even when they appear to come from known contacts, since such files can execute malware. The researchers also advise against opening script and executable file types, including .vbs, .vbe, .exe, .bat, .cmd, .js and .ps1, unless their legitimacy can be independently verified, and recommend using a security solution capable of detecting and blocking this kind of infection on computers and mobile devices. The full report is available on Securelist.com.
