logo

WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access

ID: 6efbeb24-d275-5df1-992a-ea818f25a526

STIX ID: report--6efbeb24-d275-5df1-992a-ea818f25a526

Feed Name: SOCRadar Blog

Threat Score
75/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: Ameer Owda

...
...

A WhatsApp-delivered VBScript campaign (active as of June 22, 2026) distributes socially engineered VBS/VBE attachments that, when opened, run a multi-stage chain to download a ZIP containing a preconfigured ManageEngine Endpoint Central deployment and silently install the UEMSAgent, giving attackers persistent remote access; the report details infection stages, observed victim countries (notably Malaysia), filenames, registry and execution behaviors, known management-server IPs, and detection/mitigation guidance.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.