Malware Campaign Uses WhatsApp To Deliver VBS

Microsoft Defender Experts observed a WhatsApp-delivered Visual Basic Script (VBS) malware campaign starting in late February 2026 that uses renamed Windows utilities and cloud-hosted payloads. The multi-stage chain retrieves files from AWS, Tencent Cloud, and Backblaze B2, escalates privileges by modifying UAC and registry keys, and installs unsigned MSI installers (including AnyDesk) to establish persistence and remote access. Organizations should strengthen endpoint controls and cloud monitoring.
Key Points
- 1Delivers malicious VBS via WhatsApp initiating a multi-stage chain with cloud-hosted secondary payloads
- 2Uses renamed Windows utilities and trusted cloud services to evade detection and blend with legitimate traffic
- 3Require defenders to monitor PE metadata, cloud telemetry, UAC registry changes, and block script hosts
Scoring Rationale
Official Microsoft Defender report with concrete indicators and mitigation guidance increases credibility and actionability. High relevance to endpoint security and cloud monitoring; novelty is moderate since it adapts known living-off-the-land techniques. No freshness penalty (published today).
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
