{"id":60404,"date":"2026-03-31T13:43:05","date_gmt":"2026-03-31T13:43:05","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146225"},"modified":"2026-03-31T13:43:05","modified_gmt":"2026-03-31T13:43:05","slug":"whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/","title":{"rendered":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-72c9ad15-3935-4d28-9a8c-6cd089f808b2\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-72c9ad15-3935-4d28-9a8c-6cd089f808b2\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">Microsoft Defender Experts (DEX) observed a campaign beginning in late February 2026 that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. Once executed, these scripts initiate a multi-stage infection chain designed to establish persistence and enable remote access.<\/p>\n<p class=\"wp-block-paragraph\">The campaign relies on a combination of social engineering and living-off-the-land techniques. It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.<\/p>\n<h2 class=\"wp-block-heading\" id=\"attack-chain-overview\">Attack chain overview<\/h2>\n<p class=\"wp-block-paragraph\">This campaign\u202fdemonstrates\u202fa sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting. The attackers aim to\u202festablish\u202fpersistence and escalate privileges,\u202fultimately installing\u202fmalicious MSI packages on victim systems.\u202f<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\" alt class=\"wp-image-146226 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\"><figcaption class=\"wp-element-caption\">Figure 1. Infection chain illustrating the execution flow of a VBS-based malware campaign.<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"stage-1-initial-access-via-whatsapp\"><strong>Stage 1: Initial Access via WhatsApp<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">The campaign begins with the delivery of malicious Visual Basic Script (VBS) files through WhatsApp messages, exploiting the trust users place in familiar communication platforms. Once executed, these scripts create hidden folders in C:\\ProgramData and drop renamed versions of legitimate Windows utilities such as curl.exe&nbsp;renamed as netapi.dll&nbsp;and bitsadmin.exe&nbsp;as sc.exe.&nbsp;By disguising these tools under misleading names, attackers ensure they blend seamlessly into the system environment.&nbsp;Notably, these&nbsp;renamed binaries&nbsp;Notably, these renamed binaries&nbsp;retain&nbsp;their original PE (Portable Executable) metadata, including the&nbsp;OriginalFileName&nbsp;field which still&nbsp;identifies&nbsp;them as curl.exe and bitsadmin.exe. This means Microsoft Defender and other security solutions can&nbsp;leverage&nbsp;this metadata discrepancy as a detection signal, flagging instances where a file\u2019s name does not match its embedded&nbsp;OriginalFileName.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">However, for environments where PE metadata inspection is not actively&nbsp;monitored, defenders may need to rely on&nbsp;command line flags and network telemetry&nbsp;to hunt for malicious activity.&nbsp;The scripts execute these utilities with downloader flags,&nbsp;initiating&nbsp;the retrieval of&nbsp;additional&nbsp;payloads.<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-2-payload-retrieval-from-cloud-services\"><strong>Stage 2: Payload Retrieval from Cloud Services<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">After&nbsp;establishing&nbsp;a foothold, the malware advances to its next phase: downloading secondary droppers like auxs.vbs and WinUpdate_KB5034231.vbs. These files are hosted on trusted cloud platforms such as AWS S3, Tencent Cloud, and&nbsp;Backblaze&nbsp;B2, which attackers exploit to mask malicious activity as legitimate traffic.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">In the screenshot below,&nbsp;the script copies legitimate Windows utilities (curl.exe, bitsadmin.exe) into a hidden folder under C:\\ProgramData\\EDS8738, renaming them as netapi.dll and sc.exe respectively. Using these renamed binaries with downloader flags, the script retrieves secondary VBS payloads (auxs.vbs, 2009.vbs) from cloud-hosted infrastructure. This technique allows malicious network requests to blend in as routine system activity.&nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-66.webp\" alt class=\"wp-image-146227 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-66.webp\"><figcaption class=\"wp-element-caption\">Figure 2. Next-stage payload retrieval mechanism.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">By embedding their operations within widely used cloud services, adversaries make it difficult for defenders to distinguish between normal enterprise activity and malicious downloads. This reliance on cloud infrastructure&nbsp;demonstrates&nbsp;a growing trend in cybercrime, where attackers weaponize trusted technologies to evade detection and complicate incident response.&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-3-privilege-escalation-persistence\"><strong>Stage 3: Privilege Escalation &amp; Persistence<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system&nbsp;defenses. It&nbsp;continuously&nbsp;attempts&nbsp;to launch cmd.exe with elevated&nbsp;privileges&nbsp;retrying until UAC elevation succeeds or the process is forcibly&nbsp;terminated&nbsp;modifying&nbsp;registry entries under HKLM\\Software\\Microsoft\\Win, and embedding&nbsp;persistence mechanisms to ensure the infection survives system reboots.&nbsp;&nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-67.webp\" alt class=\"wp-image-146234 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-67.webp\"><figcaption class=\"wp-element-caption\">Figure 3. Illustration of UAC bypass attempts employed by the malware.<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">These actions allow attackers to escalate privileges, gain administrative control, and&nbsp;maintain&nbsp;a long\u2011term presence on compromised devices.&nbsp;The malware modifies&nbsp;the&nbsp;ConsentPromptBehaviorAdmin&nbsp;registry value to suppress UAC prompts, silently granting administrative privileges without user interaction&nbsp;by combining registry manipulation with UAC bypass techniques, the malware ensures that even vigilant users or IT teams face significant challenges in removing the infection.&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"stage-4-final-payload-delivery\"><strong>Stage 4: Final Payload Delivery<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">In the final stage, the campaign delivers&nbsp;malicious MSI installers, including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi.&nbsp;all of which are&nbsp;unsigned. The absence of a valid code signing certificate is a notable indicator, as legitimate enterprise software of this nature would typically carry a trusted&nbsp;publisher&nbsp;signature.&nbsp;These installers&nbsp;enable&nbsp;attackers to&nbsp;establish&nbsp;remote access, giving them the ability to control victim systems directly. <\/p>\n<p class=\"wp-block-paragraph\">The use of MSI packages also helps the malware blend in with legitimate enterprise software deployment practices, reducing suspicion among users and administrators. Once installed,&nbsp;tools like&nbsp;AnyDesk&nbsp;provide attackers with persistent remote connectivity, allowing them to exfiltrate data, deploy&nbsp;additional&nbsp;malware, or use compromised systems as part of a larger network of infected devices.&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigation-and-protection-guidance\">Mitigation and protection guidance<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigations to reduce the impact of the&nbsp;WhatsApp VBS Malware Campaign&nbsp;discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender.\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Organizations can follow these recommendations to mitigate threats associated with this threat:\u202f\u202f\u202f\u202f\u202f\u202f&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Strengthen Endpoint Controls<\/strong>&nbsp;Block or restrict execution of script hosts (<em>wscript,&nbsp;cscript,&nbsp;mshta<\/em>) in untrusted paths, and monitor for renamed or hidden Windows utilities being executed with unusual flags.&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Enhance Cloud Traffic Monitoring<\/strong>&nbsp;Inspect and filter traffic to cloud services like AWS, Tencent Cloud, and&nbsp;Backblaze&nbsp;B2, ensuring malicious payload downloads are detected even when hosted on trusted platforms.&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Detect Persistence Techniques<\/strong>&nbsp;Continuously&nbsp;monitor&nbsp;registry changes under&nbsp;<em>HKLM\\Software\\Microsoft\\Win<\/em>&nbsp;and flag repeated tampering with&nbsp;<strong>User Account Control (UAC)<\/strong>&nbsp;settings as indicators of compromise.&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Block direct access to known C2 infrastructure<\/strong>\u202fwhere possible, informed by your organization\u2019s threat\u2011intelligence sources.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Educate Users on Social Engineering<\/strong>&nbsp;Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery.&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Microsoft also recommends the following mitigations\u202fto reduce the impact of this threat:\u202f&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Turn on\u202f&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/enable-cloud-protection-microsoft-defender-antivirus\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-delivered protection<\/a>\u202fin&nbsp;Microsoft Defender Antivirus&nbsp;or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which\u202fidentifies\u202fand blocks malicious websites, including phishing sites,\u202fscam\u202fsites, and sites that host malware.&nbsp;<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">The following mitigations apply specifically to Microsoft Defender&nbsp;Endpoint security&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/edr-in-block-mode\" target=\"_blank\" rel=\"noreferrer noopener\">EDR in block mode<\/a>\u202f\u202fso&nbsp;malicious artifacts&nbsp;can be blocked,&nbsp;even if your antivirus provider does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Enable network protection and web protection to safeguard against malicious sites and internet-based threats.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Allow\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/automated-investigations\" target=\"_blank\" rel=\"noreferrer noopener\">investigation and remediation<\/a>\u202fin&nbsp;full automated mode to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Turn on&nbsp;the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection\" target=\"_blank\" rel=\"noreferrer noopener\">tamper protection feature<\/a>\u202fto&nbsp;prevent attackers from stopping security services.&nbsp;Combine tamper protection with&nbsp;the\u202f&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/client-management\/mdm\/defender-csp\" target=\"_blank\" rel=\"noreferrer noopener\">DisableLocalAdminMerge<\/a>\u202fsetting to&nbsp;help&nbsp;prevent attackers from using local administrator privileges to set antivirus exclusions.\u202f&nbsp;<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Microsoft Defender customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors:\u202f&nbsp;<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-detections\">\u202f<strong>Microsoft Defender detections<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps&nbsp;to provide integrated protection against attacks like the threat discussed in this blog.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Customers with provisioned access can also use&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/security-copilot-in-microsoft-365-defender\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Copilot in Microsoft Defender<\/a>&nbsp;to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.&nbsp;&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"10.5\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>\u202f&nbsp;&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>\u202f&nbsp;&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>\u202f&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>\u202fInitial Access\u202f&nbsp;<\/td>\n<td>&nbsp;Users downloaded malicious VBS scripts delivered via WhatsApp.&nbsp;<\/td>\n<td>&nbsp;<strong>Microsoft Defender Antivirus<\/strong>&nbsp;<br \/>\u2013&nbsp;Trojan:VBS\/Obfuse.KPP!MTB&nbsp;<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td>&nbsp;Execution\/&nbsp;Defense Evasion&nbsp;<\/td>\n<td>&nbsp;Malicious VBS scripts were executed&nbsp;on&nbsp;the endpoint.&nbsp;Legitimate system utilities (e.g., curl, bitsadmin.exe) were renamed to evade detection.&nbsp;<\/td>\n<td>&nbsp;<strong>Microsoft Defender for Endpoint<\/strong>&nbsp;<br \/>\u2013&nbsp;Suspicious curl behavior&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><em>Privilege Escalation<\/em>&nbsp;<\/td>\n<td>Attempt to read Windows UAC settings,&nbsp;to run cmd.exe with elevated privileges to execute registry modification commands&nbsp;&nbsp;<\/td>\n<td><strong>Microsoft Defender Antivirus<\/strong>&nbsp;<br \/>\u2013&nbsp;Trojan:VBS\/BypassUAC.PAA!MTB&nbsp;<strong><\/strong>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\"><strong>Threat intelligence reports<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide&nbsp;intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.&nbsp;&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\"><strong>Microsoft Sentinel\u202f<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution&nbsp;from the\u202f<a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Sentinel Content Hub<\/a>\u202fto have the analytics rule deployed in their Sentinel workspace.\u202f\u202f<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-threat-analytics\"><strong>Microsoft Defender threat analytics<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Copilot integration<\/a>&nbsp;in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\" target=\"_blank\" rel=\"noreferrer noopener\">embedded experience<\/a>&nbsp;in the Microsoft Defender portal to get more information about this threat actor.&nbsp;&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\"><strong>Hunting queries<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender\"><strong>Microsoft Defender<\/strong><\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender customers can run the following query to find related activity in their networks:&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Malicious script execution<\/strong>\u202f&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"15\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceProcessEvents\u202f | where\u202fInitiatingProcessFileName\u202fhas \"wscript.exe\"\u202f | where\u202fInitiatingProcessCommandLine\u202fhas_all\u202f(\"wscript.exe\",\".vbs\")\u202f | where\u202fProcessCommandLine\u202fhas_all\u202f(\"ProgramData\",\"-K\",\"-s\",\"-L\",\"-o\", \"https:\")\u202f\u202f <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Malicious&nbsp;next stage VBS&nbsp;payload drop\u202f<\/strong>\u202f&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceFileEvents\u202f | where\u202fInitiatingProcessFileName\u202fendswith\u202f\".dll\"\u202f | where\u202fInitiatingProcessVersionInfoOriginalFileName\u202fcontains\u202f\"curl.exe\"\u202f | where\u202fFileName\u202fendswith\u202f\".vbs\"\u202f <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Malicious installer payload drop<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceFileEvents\u202f | where\u202fInitiatingProcessFileName\u202fendswith\u202f\".dll\"\u202f | where\u202fInitiatingProcessVersionInfoOriginalFileName\u202fcontains\u202f\"curl.exe\"\u202f | where\u202fFileName\u202fendswith\u202f\".msi\"\u202f <\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong><strong>Malicious outbound network communication<\/strong>\u202f&nbsp;<\/strong><\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"12\">\n<pre class=\"brush: plain; title: ; notranslate\" title>\nDeviceNetworkEvents\u202f | where\u202fInitiatingProcessFileName\u202fendswith\u202f\".dll\"\u202f | where\u202fInitiatingProcessVersionInfoOriginalFileName\u202fcontains\u202f\"curl.exe\"\u202f | where\u202fInitiatingProcessCommandLine\u202fhas_all\u202f(\"-s\",\"-L\",\"-o\", \"-k\")\u202f <\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\"><strong>Indicators of compromise<\/strong><\/h2>\n<p class=\"wp-block-paragraph\"><strong>Initial Stage: VBS Scripts delivered via WhatsApp<\/strong>&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"4\">\n<tr>\n<td><strong>Indicator<\/strong>&nbsp;&nbsp;<\/td>\n<td><strong>Type<\/strong>&nbsp;&nbsp;<\/td>\n<td><strong>Description<\/strong>&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>&nbsp;a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0\u202f&nbsp;<\/td>\n<td>&nbsp;SHA-256&nbsp;<\/td>\n<td>&nbsp;<em>Initial VBS Script&nbsp;from WhatsApp<\/em>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>&nbsp;22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a\u202f&nbsp;<\/td>\n<td>&nbsp;SHA-256&nbsp;<\/td>\n<td>&nbsp;Initial VBS Script from WhatsApp&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Next Stage VBS payload\/Dropper dropped from cloud storage<\/strong>&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"24\">\n<tr readability=\"4\">\n<td>91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a\u202f&nbsp;<\/td>\n<td>&nbsp;SHA-256&nbsp;<\/td>\n<td>&nbsp;Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>&nbsp;1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c\u202f&nbsp;<\/td>\n<td>&nbsp;SHA-256&nbsp;<\/td>\n<td>&nbsp;Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5cd4280b7b5a655b611702b574b0b48cd46d7729c9bbdfa907ca0afa55971662\u202f&nbsp;<\/td>\n<td>SHA-256&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>07c6234b02017ffee2a1740c66e84d1ad2d37f214825169c30c50a0bc2904321&nbsp;<\/td>\n<td>SHA-256&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653&nbsp;<\/td>\n<td>SHA-256&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>07c6234b02017ffee2a1740c66e84d1ad2d37f214825169c30c50a0bc2904321&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>df0136f1d64e61082e247ddb29585d709ac87e06136f848a5c5c84aa23e664a0&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>1f726b67223067f6cdc9ff5f14f32c3853e7472cebe954a53134a7bae91329f0&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>57bf1c25b7a12d28174e871574d78b4724d575952c48ca094573c19bdcbb935f&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5eaaf281883f01fb2062c5c102e8ff037db7111ba9585b27b3d285f416794548&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>613ebc1e89409c909b2ff6ae21635bdfea6d4e118d67216f2c570ba537b216bd&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>c9e3fdd90e1661c9f90735dc14679f85985df4a7d0933c53ac3c46ec170fdcfd&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Malicious Script\u202fdropped from cloud storage&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>MSI installers (Final payload)<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"6\">\n<tr readability=\"4\">\n<td>dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Installer\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8\u202f&nbsp;<\/td>\n<td>SHA-256&nbsp;<\/td>\n<td>Installer\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220&nbsp;<\/td>\n<td>SHA-256&nbsp;&nbsp;<\/td>\n<td>Installer\u202fdropped from cloud storage\u202f&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Cloud storage URLs: Payload hosting<\/strong>&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"7\">\n<tr readability=\"2\">\n<td>hxxps[:]\/\/bafauac.s3.ap-southeast-1.amazonaws[.]com\u202f&nbsp;<\/td>\n<td>URL&nbsp;<\/td>\n<td>Amazon S3 Bucket\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps[:]\/\/yifubafu.s3.ap-southeast-1.amazonaws[.]com\u202f&nbsp;<\/td>\n<td>URL&nbsp;<\/td>\n<td>Amazon S3 Bucket\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>hxxps[:]\/\/9ding.s3.ap-southeast-1.amazonaws[.]com\u202f&nbsp;<\/td>\n<td>URL&nbsp;<\/td>\n<td>Amazon S3 Bucket\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>hxxps[:]\/\/f005.backblazeb2.com\/file\/bsbbmks\u202f&nbsp;<\/td>\n<td>URL&nbsp;<\/td>\n<td>Backblaze\u202fB2 Cloud Storage\u202f&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>hxxps[:]sinjiabo-1398259625[.]cos.ap-singapore.myqcloud.com\u202f&nbsp;<\/td>\n<td>URL&nbsp;<\/td>\n<td>Tencent Cloud storage<em>\u202f<\/em>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Command and control (C2) infrastructure<\/strong>&nbsp;<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"2\">\n<tr readability=\"2\">\n<td>Neescil[.]top\u202f&nbsp;<\/td>\n<td>Domain&nbsp;<\/td>\n<td>Command and control domain&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>velthora[.]top\u202f&nbsp;<\/td>\n<td>Domain&nbsp;<\/td>\n<td>Command and control domain&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><em>This research is provided by Microsoft Defender Security Research with contributions from\u202fSabitha S<\/em> and other members of Microsoft Threat Intelligence.<\/p>\n<p class=\"wp-block-paragraph\">Review\u202four\u202fdocumentation\u202fto learn\u202fmore about our real-time protection capabilities and see how\u202fto\u202fenable them within your\u202forganization.\u202f\u202f&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/real-time-agent-protection-during-runtime\" target=\"_blank\" rel=\"noreferrer noopener\">Protect your agents in real-time during runtime (Preview) \u2013 Microsoft Defender for Cloud Apps<\/a><\/p>\n<p class=\"wp-block-paragraph\">Explore\u202f<a href=\"https:\/\/eurppc-word-edit.officeapps.live.com\/we\/%E2%80%A2%09https:\/learn.microsoft.com\/en-us\/microsoft-365-copilot\/extensibility\/copilot-studio-agent-builder\" target=\"_blank\" rel=\"noreferrer noopener\">how to build and customize agents with Copilot Studio Agent Builder<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-ai-security\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365 Copilot AI security documentation<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/04\/11\/how-microsoft-discovers-and-mitigates-evolving-attacks-against-ai-guardrails\/\" target=\"_blank\" rel=\"noreferrer noopener\">How Microsoft discovers and mitigates evolving attacks against AI guardrails<\/a>&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Learn more about\u202f<a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-cloud-apps\/ai-agent-protection\" target=\"_blank\" rel=\"noreferrer noopener\">securing Copilot Studio agents with Microsoft Defender<\/a>\u202f&nbsp;<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/31\/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malware campaign uses WhatsApp messages to deliver VBS scripts that initiate a multi-stage infection chain. The attack leverages renamed Windows tools and cloud-hosted payloads to install MSI backdoors and maintain persistent access to compromised systems.<br \/>\nThe post WhatsApp malware campaign delivers VBS payloads and MSI backdoors appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[357],"class_list":["post-60404","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-31T13:43:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"WhatsApp malware campaign delivers VBS payloads and MSI backdoors\",\"datePublished\":\"2026-03-31T13:43:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\"},\"wordCount\":2422,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\",\"keywords\":[\"Windows\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\",\"name\":\"WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\",\"datePublished\":\"2026-03-31T13:43:05+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/windows\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"WhatsApp malware campaign delivers VBS payloads and MSI backdoors\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/","og_locale":"en_US","og_type":"article","og_title":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-31T13:43:05+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors","datePublished":"2026-03-31T13:43:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/"},"wordCount":2422,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp","keywords":["Windows"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/","url":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/","name":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp","datePublished":"2026-03-31T13:43:05+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/image-65.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/whatsapp-malware-campaign-delivers-vbs-payloads-and-msi-backdoors\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Windows","item":"https:\/\/www.threatshub.org\/blog\/tag\/windows\/"},{"@type":"ListItem","position":3,"name":"WhatsApp malware campaign delivers VBS payloads and MSI backdoors"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60404"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60404\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}