This ongoing malware campaign leverages compromised WhatsApp accounts to distribute heavily obfuscated VBScript files named as business or financial documents. Upon execution on Windows systems, the VBScript downloads additional scripts that disable UAC protections via registry changes and fetch a ZIP archive containing ManageEngine Endpoint Central, which is installed silently and configured to connect to attacker-controlled management servers. This grants remote administration access to the attackers. The campaign is global, with telemetry showing infections in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The initial WhatsApp account compromise method remains unknown. The campaign shows some infrastructure overlap with known RAT malware but lacks definitive attribution.

Successful execution of the malicious VBScript leads to attackers gaining persistent remote administration access to the victim's Windows PC via a legitimate IT management tool configured for malicious use. This compromises system confidentiality, integrity, and availability. The campaign leverages trusted contacts to increase infection likelihood and bypasses some user protections by disabling UAC. The global reach and use of localized filenames increase the potential victim pool.

No official patch or fix is available as this is a malware campaign exploiting social engineering and compromised accounts rather than a software vulnerability. Users should treat all files received via WhatsApp, even from trusted contacts, with caution and verify their legitimacy through secondary communication channels. All downloaded files should be scanned with up-to-date antivirus software before execution. Organizations should educate users about the risks of opening unexpected attachments and monitor for signs of ManageEngine Endpoint Central installations configured outside normal IT management policies.