Microsoft researchers found a campaign that abuses WhatsApp attachments to sneak a script onto Windows machines which will lead to the attacker gaining remote control.

WhatsApp offers a desktop application for Windows and macOS, which users can synchronize with their mobile devices. Desktop versions of WhatsApp are generally used as extensions of mobile apps rather than primary platforms. So, while wide usage of these apps exists, their adoption rate is likely significantly lower when compared to mobile platforms.

Last year, we wrote about Meta closing a vulnerability that allowed an attacker to run arbitrary code on a Windows system which existed in all WhatsApp versions before 2.2450.6.

The attacks found by Microsoft however are based solely on social engineering. The target receives a WhatsApp attachment that looks harmless enough, but it is actually a .vbs (Visual Basic Script) file that Windows can execute.

If the attacker manages to convince the victim to run the file on Windows, the script copies built‑in Windows tools into a hidden folder and gives them misleading names so they look harmless at first glance.

And the tools themselves are legitimate ones, but they’re abused to download malware. A classic living off the land (LOTL) technique which uses what’s already on the system instead of introducing malware binaries that would get picked up in a scan.

The next scripts are pulled from popular cloud providers, so network traffic looks like normal access to AWS, Tencent Cloud, or Backblaze instead of some shady server that would raise red flags.

To turn off other possible alarms, the malware keeps trying to elevate itself to administrator, then tweaks UAC (User Account Control) prompts and registry settings so it can silently make system‑level changes and persist across reboots.

At the end of the infection chain, an unsigned MSI (Microsoft Installer) sets up remote‑access software and other payloads, giving the attacker ongoing, hands‑on access to the machine and data.

How to stay safe

For home users and small businesses, there are some practical steps to stay safe:

• Do not open unsolicited attachments until you have verified with a trusted source that they are safe.
• Turn on View File name extensions in Explorer so that a file claiming to be picture but ending in .vbs or .msi can be identified as such.
• Use an up-to-date real-time anti-malware solution to stop unwanted connections and identify malicious files.
• Download software only from the vendor’s official site and check that installers are signed.
• Don’t ignore warning signs. Unexpected UAC prompts, new software suddenly appearing, or your machine becoming sluggish after opening a WhatsApp attachment are all reasons for an anti-malware scan and, if needed, be prepared to restore from a clean backup.
• Keep Windows and all other applications current to prevent from exploiting known vulnerabilities.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/news/2026/04/whatsapp-on-windows-users-targeted-in-new-campaign-warns-microsoft