A VBScript campaign distributed through WhatsApp deploying RMM software
ID: df91df1c-1916-5e1c-8e66-23a57d1e2f93
STIX ID: report--df91df1c-1916-5e1c-8e66-23a57d1e2f93
Feed Name: Securelist by Kaspersky
In June 2026 an active, cross-border campaign used compromised WhatsApp accounts to distribute obfuscated VBScript attachments that, when executed, download secondary scripts and install a preconfigured ManageEngine Endpoint Central RMM agent to enable persistent remote access; the campaign targeted users across multiple countries (≈80% of observed victims in Malaysia), employs UAC bypass attempts and multiple download mechanisms, and includes numerous IOCs (file hashes, domains, and IPs) with low-confidence attribution to a Chinese-speaking operator.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
