WhatsApp malware campaign delivers VBScript and MSI backdoors

Microsoft Defender observed a late-February-2026 WhatsApp-delivered VBS campaign that uses social engineering, renamed legitimate Windows utilities (LOLBAS), and payloads hosted on trusted cloud services (AWS, Tencent Cloud, Backblaze B2) to drop secondary VBS droppers, attempt UAC bypass and registry persistence, and ultimately install unsigned MSI installers (e.g., AnyDesk) for persistent remote access; the report provides multiple SHA-256 IOCs, cloud URLs, C2 domains, recommended mitigations, and hunting queries for detection and response.