WhatsApp VBScript Campaign Installs ManageEngine Endpoint Central for Persistent Remote Access
ID: 6efbeb24-d275-5df1-992a-ea818f25a526
STIX ID: report--6efbeb24-d275-5df1-992a-ea818f25a526
Feed Name: SOCRadar Blog
A WhatsApp-delivered VBScript campaign (active as of June 22, 2026) distributes socially engineered VBS/VBE attachments that, when opened, run a multi-stage chain to download a ZIP containing a preconfigured ManageEngine Endpoint Central deployment and silently install the UEMSAgent, giving attackers persistent remote access; the report details infection stages, observed victim countries (notably Malaysia), filenames, registry and execution behaviors, known management-server IPs, and detection/mitigation guidance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
