An unknown actor distributes malicious VBS scripts via WhatsApp
Since June 2026, an active malware campaign distributes malicious VBScript files via WhatsApp direct messages. The campaign targets users globally, with Malaysia having the highest victim concentration. Attackers compromise WhatsApp accounts to send weaponized VBS scripts disguised as business and financial documents. The infection chain deploys legitimate ManageEngine Endpoint Central RMM software to maintain persistent remote access. The scripts use heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT suggest possible Chinese-speaking operators. The campaign primarily uses opportunistic social engineering with localized filenames in multiple languages.
AI Analysis
Technical Summary
This malware campaign involves an unknown actor distributing malicious VBScript files through compromised WhatsApp accounts since June 2026. The VBS scripts are disguised as legitimate business and financial documents and are heavily obfuscated with Chinese-language comments. The multi-stage infection chain culminates in deploying ManageEngine Endpoint Central RMM software, which provides persistent remote access to infected systems. The malware modifies Windows User Account Control (UAC) settings to facilitate persistence and evade detection. Infrastructure overlaps with known malware families ValleyRAT and Gh0st RAT indicate possible Chinese-speaking operators, though attribution remains uncertain. The campaign targets individual users opportunistically across multiple countries, with Malaysia being the most affected. The attack leverages social engineering techniques using localized filenames in various languages to increase success rates.
Potential Impact
The campaign enables attackers to gain persistent remote access to compromised systems by abusing legitimate ManageEngine Endpoint Central RMM software. This access can allow attackers to control infected machines, potentially leading to data theft, espionage, or further network compromise. The modification of Windows UAC settings may reduce user prompts and security warnings, increasing the likelihood of successful persistence. The use of compromised WhatsApp accounts to distribute malware increases the trustworthiness of the malicious files, raising infection risk among contacts. The campaign affects users globally, with a notable concentration in Malaysia.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign leveraging social engineering and legitimate software abuse. Users should be advised not to open unexpected or suspicious VBScript files received via WhatsApp or other messaging platforms, even if sent by known contacts. Organizations should monitor for unauthorized deployment of ManageEngine Endpoint Central RMM software and review UAC settings for unauthorized changes. Since this campaign relies on compromised WhatsApp accounts, users should secure their accounts with strong authentication and monitor for unusual activity. Vendor or official advisories should be consulted for updates. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Indicators of Compromise
- ip: 202.61.160.201
- hash: 02bb20455cc592a69c080abac770ce90
- hash: 31037a42ca048e06e69a78f55bc2eff5
- hash: 887ec87e4a19759cad25d4bc0956d2b965d3041d
- hash: f0fde01b1e36503227252f6cb6b3b075f93a2c1a
- hash: 452259dc297f56cf22c7932e8fbcefe821ef9c3127134074fae585f89355d397
- hash: 50c74b468c217776b8890b841baefec8b196b14083a7873a9201c838a8e4c90a
- hash: 05d188f071d097f5b6bd8138749b4b14
- hash: 0ba93109757776a44de9d8c88baa4963
- hash: 1a3cc75466ffb1971482f7abf7aabc3f
- hash: 1c47c63e5ed25060d95359c57c77b107
- hash: 1d94fbe9cab21278cc3f104bea334d08
- hash: 20209b3a32769afc6a75694b8d8839dd
- hash: 2c6f05f1f309d89b2236e6c8b59c88f9
- hash: 3b1aba44dd3d9b6339b6f56e2f42034b
- hash: 4044e4b6471c9de7b0a4ba37d9d9df9a
- hash: 4f0593e8e0e8fac49429e9b45ebf7fa1
- hash: 5002eca748205d544618e3bd2dedc223
- hash: 5b6bbcc06cf08cc99e1afeda486d42fb
- hash: 6359e6236471cbe434d0ef4c42b7f879
- hash: 63ac85195b73753333316a889cf5880f
- hash: 66442f2457eca8f47385b1fb2c6fcab8
- hash: 66705384a7ad81d14c34fc6c054a0ecf
- hash: 68c16c46f8afb9e00bbaba0207fb0a46
- hash: 6c39900d77dcba158e1d27c7619cb06d
- hash: 6fb6a55424adfb61e31f06aef33273e5
- hash: 7403cbcc5a9c32384d431856dc48fcc9
- hash: 74fd9f91fc93b6288b4fc253ea5b3e20
- hash: 7849061c536a3efb05a56d504694e7e7
- hash: 79ecd61b09b0f2d54b34586c916c4ec9
- hash: 7f16449cd0c4862d1eadf8a5742bf09a
- hash: 7f81c1bc8cfd588e8998968e2621456e
- hash: 8c3322009b8982663c0cbecd9492e7eb
- hash: 8c6d9fc389ad3f20ccbc71d77eb39bfa
- hash: 993f4c0cadbc769a4b0ed62a918db58d
- hash: 9d9ac85765e4a818a3ccabe2cf4fef82
- hash: 9f13c7b8ba391b2f597874e54d310648
- hash: b7cd06c71465038b658a6dc1f273a507
- hash: c7f38cbb99c8b74fa0465293feeba700
- hash: d01cad98dd0d01b75e04e784953c5e2b
- hash: d06333c360b51456f427e616c3c5f8bd
- hash: d43fdaa1f0ee09d7e5f0f94ee9df7b6c
- hash: dad708e050632a4280cabf98ac1376b7
- hash: ddaffe9849f7f3c79f8804adb9a6b3d5
- hash: df4fa0369eaca5cec348be293890d4af
- hash: f90ed4b2d0b67114aa89ddfed658e5c0
- hash: 8be8f6955de47d980c257ab5bc732cfbd0e23d99
- hash: 01f1eb07125db5de0c2362afc777aa015f136feabd769628f01d01ac6472646c
- ip: 202.61.160.137
- ip: 202.61.160.160
- ip: 202.61.160.202
- ip: 202.61.160.208
- ip: 38.55.151.63
- domain: baoxis.cc
- domain: invoice.msopsa.top
- domain: temu.baskwms.top
An unknown actor distributes malicious VBS scripts via WhatsApp
Description
Since June 2026, an active malware campaign distributes malicious VBScript files via WhatsApp direct messages. The campaign targets users globally, with Malaysia having the highest victim concentration. Attackers compromise WhatsApp accounts to send weaponized VBS scripts disguised as business and financial documents. The infection chain deploys legitimate ManageEngine Endpoint Central RMM software to maintain persistent remote access. The scripts use heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT suggest possible Chinese-speaking operators. The campaign primarily uses opportunistic social engineering with localized filenames in multiple languages.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This malware campaign involves an unknown actor distributing malicious VBScript files through compromised WhatsApp accounts since June 2026. The VBS scripts are disguised as legitimate business and financial documents and are heavily obfuscated with Chinese-language comments. The multi-stage infection chain culminates in deploying ManageEngine Endpoint Central RMM software, which provides persistent remote access to infected systems. The malware modifies Windows User Account Control (UAC) settings to facilitate persistence and evade detection. Infrastructure overlaps with known malware families ValleyRAT and Gh0st RAT indicate possible Chinese-speaking operators, though attribution remains uncertain. The campaign targets individual users opportunistically across multiple countries, with Malaysia being the most affected. The attack leverages social engineering techniques using localized filenames in various languages to increase success rates.
Potential Impact
The campaign enables attackers to gain persistent remote access to compromised systems by abusing legitimate ManageEngine Endpoint Central RMM software. This access can allow attackers to control infected machines, potentially leading to data theft, espionage, or further network compromise. The modification of Windows UAC settings may reduce user prompts and security warnings, increasing the likelihood of successful persistence. The use of compromised WhatsApp accounts to distribute malware increases the trustworthiness of the malicious files, raising infection risk among contacts. The campaign affects users globally, with a notable concentration in Malaysia.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign leveraging social engineering and legitimate software abuse. Users should be advised not to open unexpected or suspicious VBScript files received via WhatsApp or other messaging platforms, even if sent by known contacts. Organizations should monitor for unauthorized deployment of ManageEngine Endpoint Central RMM software and review UAC settings for unauthorized changes. Since this campaign relies on compromised WhatsApp accounts, users should secure their accounts with strong authentication and monitor for unusual activity. Vendor or official advisories should be consulted for updates. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/whatsapp-vbs-rmm-campaign/120290/"]
- Adversary
- null
- Pulse Id
- 6a3915eddc5c22f4421f124e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip202.61.160.201 | — | |
ip202.61.160.137 | — | |
ip202.61.160.160 | — | |
ip202.61.160.202 | — | |
ip202.61.160.208 | — | |
ip38.55.151.63 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash02bb20455cc592a69c080abac770ce90 | — | |
hash31037a42ca048e06e69a78f55bc2eff5 | — | |
hash887ec87e4a19759cad25d4bc0956d2b965d3041d | — | |
hashf0fde01b1e36503227252f6cb6b3b075f93a2c1a | — | |
hash452259dc297f56cf22c7932e8fbcefe821ef9c3127134074fae585f89355d397 | — | |
hash50c74b468c217776b8890b841baefec8b196b14083a7873a9201c838a8e4c90a | — | |
hash05d188f071d097f5b6bd8138749b4b14 | — | |
hash0ba93109757776a44de9d8c88baa4963 | — | |
hash1a3cc75466ffb1971482f7abf7aabc3f | — | |
hash1c47c63e5ed25060d95359c57c77b107 | — | |
hash1d94fbe9cab21278cc3f104bea334d08 | — | |
hash20209b3a32769afc6a75694b8d8839dd | — | |
hash2c6f05f1f309d89b2236e6c8b59c88f9 | — | |
hash3b1aba44dd3d9b6339b6f56e2f42034b | — | |
hash4044e4b6471c9de7b0a4ba37d9d9df9a | — | |
hash4f0593e8e0e8fac49429e9b45ebf7fa1 | — | |
hash5002eca748205d544618e3bd2dedc223 | — | |
hash5b6bbcc06cf08cc99e1afeda486d42fb | — | |
hash6359e6236471cbe434d0ef4c42b7f879 | — | |
hash63ac85195b73753333316a889cf5880f | — | |
hash66442f2457eca8f47385b1fb2c6fcab8 | — | |
hash66705384a7ad81d14c34fc6c054a0ecf | — | |
hash68c16c46f8afb9e00bbaba0207fb0a46 | — | |
hash6c39900d77dcba158e1d27c7619cb06d | — | |
hash6fb6a55424adfb61e31f06aef33273e5 | — | |
hash7403cbcc5a9c32384d431856dc48fcc9 | — | |
hash74fd9f91fc93b6288b4fc253ea5b3e20 | — | |
hash7849061c536a3efb05a56d504694e7e7 | — | |
hash79ecd61b09b0f2d54b34586c916c4ec9 | — | |
hash7f16449cd0c4862d1eadf8a5742bf09a | — | |
hash7f81c1bc8cfd588e8998968e2621456e | — | |
hash8c3322009b8982663c0cbecd9492e7eb | — | |
hash8c6d9fc389ad3f20ccbc71d77eb39bfa | — | |
hash993f4c0cadbc769a4b0ed62a918db58d | — | |
hash9d9ac85765e4a818a3ccabe2cf4fef82 | — | |
hash9f13c7b8ba391b2f597874e54d310648 | — | |
hashb7cd06c71465038b658a6dc1f273a507 | — | |
hashc7f38cbb99c8b74fa0465293feeba700 | — | |
hashd01cad98dd0d01b75e04e784953c5e2b | — | |
hashd06333c360b51456f427e616c3c5f8bd | — | |
hashd43fdaa1f0ee09d7e5f0f94ee9df7b6c | — | |
hashdad708e050632a4280cabf98ac1376b7 | — | |
hashddaffe9849f7f3c79f8804adb9a6b3d5 | — | |
hashdf4fa0369eaca5cec348be293890d4af | — | |
hashf90ed4b2d0b67114aa89ddfed658e5c0 | — | |
hash8be8f6955de47d980c257ab5bc732cfbd0e23d99 | — | |
hash01f1eb07125db5de0c2362afc777aa015f136feabd769628f01d01ac6472646c | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbaoxis.cc | — | |
domaininvoice.msopsa.top | — | |
domaintemu.baskwms.top | — |
Threat ID: 6a3999f7eed863c81e62c9c0
Added to database: 06/22/2026, 20:24:23 UTC
Last enriched: 06/22/2026, 20:39:09 UTC
Last updated: 06/22/2026, 21:41:26 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.