A new attack is spreading through WhatsApp right now. According to Kaspersky research, it was first spotted in June 2026. What makes it so dangerous is simple — the malicious file comes from someone you already know and trust.
This is not your usual spam message from a random stranger. Your friend, colleague, or family member’s account sends you the file. You see their name. You open it. And that’s all it takes.
Table of Contents
What Is Actually Happening
Hackers are breaking into real WhatsApp accounts. Then they use those accounts to send a harmful file to every contact on the list.
The file looks totally normal. It has names like:
- “Financial Reports.vbs”
- “Account Statement.vbs”
- “Outstanding Payment List.vbs”
These names sound like something you might get from your bank or office. So people open them without thinking.
The file type is VBScript — a script file that Windows can run. Most people have never heard of .vbs files, so they don’t see any danger in opening one.
What Happens When You Open the File
Nothing visible happens at first. That’s the scary part. Everything runs quietly in the background.
Here is what the file does after you open it:
- It creates a hidden folder on your computer
- It connects to outside servers and downloads more harmful files
- It uses real Windows tools — just renamed — to avoid detection
- It tries to turn off your Windows security prompts
After all this, it installs a remote access program on your device. The attacker can then log into your computer anytime they want, without you knowing.
Why This Attack Is Hard to Spot
Most people learn to be careful with emails from strangers. But this attack comes through WhatsApp — and if you use WhatsApp on PC, the risk is even more direct since files open faster on desktop.
There is also no message with the file. Just the attachment. One account was seen sending the same file to many contacts in a row. If a friend sends you a file out of nowhere with no explanation, that is a big red flag.
The files are also made to look like business documents. Some are even written in different languages — Portuguese, French, German, and Malay — to target people in different countries. WhatsApp keeps adding new WhatsApp features, but that also means more ways for attackers to exploit user habits.
How the Attack Spreads in Stages
The infection does not happen all at once. It moves in steps.
Step one: You open the VBScript file. It creates a hidden folder and downloads two more scripts from attacker servers.
Step two: The first script tries to turn off your Windows security settings. It keeps trying over and over until it works. The second script downloads a ZIP file packed with more tools.
Step three: Inside that ZIP is a remote management program called ManageEngine Endpoint Central. This is actually a real tool used by IT teams in companies. The attackers install it silently. You never see it happen.
Once it is installed, the attacker has full remote access to your device. They can see your files, install more malware, or spy on what you do.
Who Is Getting Hit
So far, victims have been found in Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam.
Malaysia has the highest number of cases — around 80% of all known victims are there. However, because the files are translated into multiple languages, this campaign is clearly designed to spread further.
Regular everyday users are the main targets here. This is not aimed at a specific company or industry. The attackers are simply going after anyone who opens the file.
Who Might Be Behind This
Researchers do not know for sure who is running this campaign. However, they found some clues.
Many of the scripts contained notes written in simplified Chinese. On top of that, one of the attacker’s server addresses was previously linked to two known malware tools — ValleyRAT and Gh0st RAT — which have been connected to Chinese-speaking hackers before.
Even so, Kaspersky is not ready to fully blame any specific group. The evidence points in one direction, but it is not strong enough yet to say for certain.
How to Keep Yourself Safe
You do not need to be a tech expert to avoid this. A few simple steps will protect you.
- Do not open .vbs files — or any script files like .bat, .cmd, .js, or .ps1 — sent through WhatsApp
- Got a file from a friend with no message? Call them first and ask if they actually sent it
- Use antivirus software and keep it up to date — it can block these scripts before they run
- Check your computer for any remote management tools you did not install yourself. It is also worth knowing if someone is already spying on your WhatsApp before things get worse.
- Be extra careful on WhatsApp Web — downloaded files can be opened accidentally through your browser
Final Thought
This attack works because it feels normal. The message comes from a trusted contact. The file looks like a work document. Nothing seems off until it is too late.
The best thing you can do is slow down before opening any unexpected file — even from someone you know. A quick phone call to verify can save you a lot of trouble.
Share this with the people around you. Most of them use WhatsApp every day and have no idea this is happening.
