Cybercriminals are currently exploiting WhatsApp Web for Windows to deploy a sophisticated phishing campaign that grants attackers full remote administrative control. The infection chain begins when users receive a malicious VBScript file disguised as a legitimate commercial or financial document. These files are typically sent from compromised accounts belonging to the victim's own contacts, significantly increasing the likelihood of a successful trick. When executed, the script systematically disables system security alerts to evade detection.
- Initial delivery of a rogue VBScript file disguised as an invoice or business document.
- Automatic deactivation of built-in Windows security warnings and alerts.
- Silent installation of ManageEngine Endpoint Central, a legitimate management tool repurposed by hackers.
By leveraging authorized software, the attackers gain persistent administrative access to the host machine without triggering traditional antivirus software. This campaign has already been detected in 11 countries, including Brazil, and poses a significant risk to business users who rely on the desktop messaging client for daily operations. Vigilance regarding unsolicited file attachments—even from known contacts—is critical to preventing infection.
