logo

WhatsApp Malware Campaign Spreads RMM Software

ID: fdcdb9cc-e33a-5d72-aedc-e945c7f720a5

STIX ID: report--fdcdb9cc-e33a-5d72-aedc-e945c7f720a5

Feed Name: securityonline.info

Threat Score
75/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Do Son

...
...

A global WhatsApp malware campaign uses compromised accounts to send localized VBScript invoice attachments that, when executed, create hidden working directories, download obfuscated payloads, attempt UAC bypass, extract a ManageEngine Endpoint Central deployment package, and silently install the RMM to gain persistent remote control; Kaspersky and Broadcom telemetry tie the active operation (notably affecting Malaysia) to prior RAT infrastructure (IP 202.61.160.201).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.