Microsoft has identified a new cyberattack campaign that uses WhatsApp messages to deliver malicious scripts capable of taking control of Windows computers. The activity, which began in late February 2026, utilizes Visual Basic Script (VBS) files to start a complex infection process designed to give attackers persistent remote access. The exact method used to lure users into opening the malicious files remains unclear at this time.

How the Attack Chain Works

The campaign initiates when a target receives a message on the WhatsApp messaging platform. This message contains a malicious Visual Basic Script file. If a user downloads and executes this VBS file, it triggers a multi-stage infection sequence.

Security researchers at Microsoft note that the script employs sophisticated techniques to bypass User Account Control (UAC), a core Windows security feature. UAC is designed to prevent unauthorized changes to the operating system by requiring administrator approval for certain actions. By bypassing this safeguard, the malware can install itself with elevated privileges without alerting the user.

Goals and Capabilities of the Malware

The primary objective of this malicious software is to establish a permanent foothold on infected machines. After bypassing UAC, the scripts work to achieve persistence, meaning they configure the system to automatically re-run the malicious code even after a reboot. This ensures the attacker maintains long-term access.

Once persistence is established, the malware enables remote access and control. This allows threat actors to execute commands on the compromised computer, potentially stealing sensitive data, deploying additional payloads, or using the machine as part of a larger botnet.

Security Implications and User Risk

This campaign highlights the ongoing trend of attackers exploiting trusted communication platforms like WhatsApp to distribute threats. The use of VBS files is also notable, as these scripts can be powerful and sometimes fly under the radar of traditional antivirus software if they are novel or heavily obfuscated.

The combination of a popular delivery vector and a UAC bypass technique makes this a significant threat. It underscores the importance of user vigilance, even when interacting with messages from seemingly familiar contacts on ostensibly secure platforms.

Recommended Protective Measures

Microsoft and security experts advise users to exercise extreme caution with unsolicited messages containing files or links, regardless of the source. Users should not download or open files from unknown or unexpected senders, even on messaging apps.

Keeping Windows and all security software updated with the latest patches is critical, as updates often address vulnerabilities that malware exploits. Enabling and heeding User Account Control prompts is another essential layer of defense, as it can block many unauthorized modification attempts.

Organizations are encouraged to implement application allowlisting policies where possible, which can prevent the execution of unauthorized scripts like VBS files. Network monitoring for suspicious outbound connections can also help identify compromised systems.

Ongoing Investigation and Future Outlook

Microsoft’s security teams continue to analyze the campaign to uncover more details about its origins, the specific lures used, and the full scope of its capabilities. The company is expected to release further technical details and indicators of compromise (IOCs) to help the wider security community detect and block the threat.

As the investigation progresses, security firms worldwide will likely update their detection signatures to catch this specific malware variant. Users and administrators should monitor official communications from Microsoft’s Security Response Center for the latest guidance and mitigation strategies related to this evolving threat.

Source: Microsoft Security Advisory