WhatsApp as the gateway: the malware campaign that is hidden in legitimate tools and cloud services

In late February 2026, a campaign was detected that takes advantage of WhatsApp messages to distribute malicious files written in Visual Basic Script (VBS). According to Microsoft researchers, the initial vector is files that, if run by the user, trigger a multi-phase infection chain designed to stay in the system and provide remote access to the attackers. What makes this operation particularly dangerous is the mix of social engineering with the use of legitimate tools of the system itself and recognized cloud services. To understand the scope and implications, it is appropriate to disaggregate how the intrusion works and what measures to take to reduce the risk.

The starting point - according to the investigation - is the sending of a VBS by WhatsApp whose content seeks to persuade the victim to execute it, although Microsoft has not yet confirmed the exact lures used by the attackers. When activated, the script creates hidden folders within C:\ ProgramData and deposits renowned versions of legitimate Windows executables. Among the files identified are utilities such as curl.exe and bitsadmin.exe, but with false names such as netapi.dll and sc.exe to be confused with traffic and the usual system processes.

Once initial access is achieved, the campaign continues to download secondary payloads housed in widely used cloud storage services. Microsoft has observed that complementary VBS files are obtained from platforms such as Amazon S3, Tencent Cloud services and BackBlaze B2. By hosting components in reliable infrastructure, attackers make detection difficult and benefit from the reputation of these services to camouflage their malicious downloads. If you want to check why these suppliers are common in such abuses, you can read the AWS S3 public documentation ( aws.amazon.com / s3), Tencent Cloud ( intl.cloud) and BackBlaze B2 ( backBlaze.com).

The purpose of these secondary binaries and scripts is double: to establish persistence and to scale privileges. The attackers try to weaken the account control mechanisms (UAC) to execute commands with high privileges. According to the analysis, the malware attempts to repeatedly launch cmd.exe with elevation until it is achieved or until the process is interrupted, as well as to modify Registry keys under HKLM\\ Software\ Microsoft\\ Win to insert mechanisms that survive rebeginnings. This type of manipulation seeks that the control over the machine does not depend on the continuous interaction of the user.

Once they reach high privileges, operators install unsigned MSI packages that provide persistent remote access. Among the tools observed in malicious deployments is AnyDesk, a legitimate remote access software that, in the hands of an attacker, allows to exfilter information, execute additional actions or deploy additional payloads. This strategy - using legitimate software to achieve malicious objectives - is a classic variant of "living-off-the-land" techniques and complicates detection work because many defenses tend to allow traffic or processes considered routine.

From a technical and operational perspective, there are two important lessons. The first is that the use of renowned utilities makes the malicious behavior seem ordinary in records and network traffic; for example, downloading from S3 with a copy of renowned curl does not necessarily generate the same alerts as an unknown external tool. The second is that hosting binaries on confidence platforms reduces the likelihood of transfers being blocked by security policies that implicitly rely on known domains and endpoints.

For users and administrators this is translated into clear practical recommendations: do not run files received by instant messaging without checking them, even if they come from known contacts; enable and keep up to date an antivirus and EDR solutions; review scripts execution policies and restrictions on software installation; audit the execution of renowned binaries and monitor modifications to sensitive Registry keys and UAC configuration. Microsoft publishes general guidance and threat alerts that can help respond to incidents and harden systems: Microsoft Security Blog and documentation of their endpoint protection solutions ( learn.microsoft.com - Defender for Endpoint).

It is also useful to know the messaging vectors and their security options: WhatsApp has guides and tips on how to identify suspicious messages and protect accounts, which should be consulted if you receive unexpected files or links ( Whatsapp - Security). For infrastructure managers, resources such as the MITRE ATT & CK framework help to classify and understand the techniques used by the attackers, including the abuse of system utilities and the use of cloud storage as a delivery channel ( mitre.org / attack).

If you suspect that a system has been compromised by such a campaign, do not immediately turn it off without documenting the incident, unless there is imminent risk; in many cases the response teams recommend isolating the machine from the network, preserving records and memory if possible, and climbing an incident response team or the security provider. National cybersecurity agencies also publish guides and alerts on emerging threats; for example, the U.S. agency CISA maintains resources to respond to campaigns using persistence techniques and remote access ( cisa.gov - alerts).

In short, this campaign reaffirms a trend that security teams have been watching for years: the attackers combine the confidence that they generate legitimate tools and services with social lures to overcome defenses. Effective protection depends not only on blocking the obvious, but on identifying atypical patterns in daily processes and educating users not to turn a simple message into the entry door of a greater commitment. Maintaining up-to-date systems, limiting the execution of unverified scripts, monitoring critical changes in the Register and the UAC configuration, and implementing application and performance controls remain key measures to reduce the impact of such campaigns.

To expand information and see additional alerts and analysis on similar threats, you can consult sources specialized in cybersecurity and technical news such as BleepingComputer or the official releases and blogs of the suppliers involved.