logo

A VBScript campaign distributed through WhatsApp deploying RMM software

ID: df91df1c-1916-5e1c-8e66-23a57d1e2f93

STIX ID: report--df91df1c-1916-5e1c-8e66-23a57d1e2f93

Feed Name: Securelist by Kaspersky

Threat Score
72/100

Date Published: 2026-06-22

Date Updated: 2026-06-22

Author: Fareed Radzi

...
...

In June 2026 an active, cross-border campaign used compromised WhatsApp accounts to distribute obfuscated VBScript attachments that, when executed, download secondary scripts and install a preconfigured ManageEngine Endpoint Central RMM agent to enable persistent remote access; the campaign targeted users across multiple countries (≈80% of observed victims in Malaysia), employs UAC bypass attempts and multiple download mechanisms, and includes numerous IOCs (file hashes, domains, and IPs) with low-confidence attribution to a Chinese-speaking operator.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.