WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools
ID: 7d87bcca-c644-5dd4-8db7-ae80fd4c738c
STIX ID: report--7d87bcca-c644-5dd4-8db7-ae80fd4c738c
Feed Name: Security Affairs
Malicious WhatsApp messages with VBScript attachments are being distributed from compromised accounts to deliver a multi-stage installer that silently deploys a preconfigured ManageEngine Endpoint Central agent, granting remote access to attackers; the campaign is active (as of 22 June 2026), affects multiple countries (≈80% of confirmed victims in Malaysia), uses heavy script obfuscation and attempted UAC bypass via registry changes, and communicates with attacker-controlled servers including IP 202.61.160.201 which has prior links to RAT infrastructure.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
