Kaspersky uncovers a new massive campaign spreading malware via WhatsApp, warning that cybercriminals are exploiting compromised accounts to distribute malicious files disguised as routine business documents to users across multiple countries.
Kaspersky uncovers a new massive campaign spreading malware via WhatsApp targeting desktop users
The campaign, identified by the Kaspersky GReAT (Global Research and Analysis Team) in June 2026, primarily targets users of WhatsApp Desktop and WhatsApp Web. Researchers found that attackers are sending malicious Visual Basic Script (VBScript) files through direct messages using previously compromised WhatsApp accounts, increasing the likelihood that recipients will trust and open the attachments.
According to Kaspersky, the highest number of observed victims has been recorded in Malaysia, although infections have also been identified in Brazil, Singapore, Taiwan and Vietnam. The use of multilingual file names further suggests that the campaign is targeting users across several regions, including parts of Europe.
The attackers rely heavily on social engineering techniques to deceive recipients. The malicious attachments are disguised as everyday business documents, with filenames resembling invoices, bank statements, account statements, payment records and debt notices. To increase credibility, these files are localised into several languages, including English, Portuguese, French, German and Malay.
Researchers also discovered that the malicious VBScript files contain comments and metadata designed to imitate legitimate Microsoft Windows Update components, making them appear less suspicious to users who inspect the files before opening them.
Fareed Radzi, a security researcher with Kaspersky GReAT, said the campaign demonstrates how cybercriminals are increasingly exploiting trust within popular messaging platforms.
“In this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them,” he said.
Once the malicious attachment is opened, the infection follows a multi-stage execution process. The initial script creates a working directory on the victim’s computer before downloading additional scripts from remote infrastructure. These scripts are executed through Windows Script Host and subsequently retrieve a compressed archive containing remote monitoring and management software.
Although such remote administration tools are commonly used by legitimate IT support teams, attackers abuse them to gain unauthorised access to infected systems. Once installed, the malware enables remote control of the device, potentially allowing cybercriminals to steal sensitive information, monitor user activity or deploy additional malicious software.
The latest findings highlight the growing threat posed by WhatsApp malware, particularly as attackers increasingly rely on trusted communication platforms to bypass users’ natural caution. By sending files through compromised accounts that already exist in a victim’s contact list, cybercriminals significantly improve the chances that recipients will open the attachment without questioning its legitimacy.
Kaspersky advises users to exercise caution whenever unexpected files are received through WhatsApp, even if they appear to come from friends, colleagues or known business contacts. The company recommends avoiding the opening of script or executable file types such as .vbs, .vbe, .exe, .bat, .cmd, .js and .ps1 unless their authenticity has been independently verified.
In addition, users are encouraged to install reputable endpoint security software capable of detecting malicious files before they are executed. Security solutions can help identify suspicious downloads, block malicious activity and reduce the risk of successful infections.
As Kaspersky uncovers a new massive campaign spreading malware via WhatsApp, cybersecurity experts warn that messaging applications continue to be attractive targets for cybercriminals seeking to exploit trusted relationships. Maintaining vigilance, verifying unexpected attachments and keeping security software up to date remain among the most effective defences against increasingly sophisticated cyber threats.

