'By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution': Microsoft warns WhatsApp users to exercise extra caution — or pay the price

WhatsApp malware campaign delivers VBS scripts and MSI files

News By Efosa Udinmwen published 7 April 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

An account already exists for this email address, please log in. Subscribe to our newsletter

• WhatsApp files deliver VBS malware that silently installs and gains full control
• Hidden folders and renamed Windows tools let attackers blend into normal operations
• Malware retrieves secondary scripts from trusted cloud services to avoid detection

Microsoft has identified a multi-stage malware campaign that uses WhatsApp to deliver Visual Basic Script (VBS) files and exploits the trust users place in familiar messaging platforms.

Attackers send files that appear harmless through WhatsApp, but opening them triggers a silent installation that grants hidden system control to adversaries.

Once executed, the scripts create concealed folders under C:\ProgramData and drop renamed versions of legitimate Windows utilities, such as curl.exe renamed to netapi.dll and bitsadmin.exe renamed to sc.exe.

Article continues below

Attackers hide malware inside normal system tools

By embedding these tools in normal system paths, attackers ensure the tools blend into routine operations while security solutions can still detect the original metadata.

The malware alters system settings to launch automatically after every reboot, ensuring survival even when users believe they removed the threat.

Microsoft warns that this approach combines social engineering with living-off-the-land techniques and increases successful execution without raising immediate alerts.

“By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution,” Microsoft said in a blog post.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors