logo

WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools

ID: 7d87bcca-c644-5dd4-8db7-ae80fd4c738c

STIX ID: report--7d87bcca-c644-5dd4-8db7-ae80fd4c738c

Feed Name: Security Affairs

Threat Score
75/100

Date Published: 2026-06-22

Date Updated: 2026-06-23

Author: Pierluigi Paganini

...
...

Malicious WhatsApp messages with VBScript attachments are being distributed from compromised accounts to deliver a multi-stage installer that silently deploys a preconfigured ManageEngine Endpoint Central agent, granting remote access to attackers; the campaign is active (as of 22 June 2026), affects multiple countries (≈80% of confirmed victims in Malaysia), uses heavy script obfuscation and attempted UAC bypass via registry changes, and communicates with attacker-controlled servers including IP 202.61.160.201 which has prior links to RAT infrastructure.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.