How a WhatsApp Phishing Attack Uses Fake Business Docs to Hack PCs in 2026
whatsapp phishingsocial engineeringmalware attackremote accesskasperskymanageengine endpoint centralwindows pc securitycybersecuritydata breachmalaysia cyber attackonline scam

How a WhatsApp Phishing Attack Uses Fake Business Docs to Hack PCs in 2026

By Daniel MarshJune 23, 2026

Why This WhatsApp Phishing Attack Exploits Trust

Here's the thing about trust: it's a hell of a vulnerability. We've been told for years to watch out for suspicious emails from unknown senders, but what happens when the malicious link comes from your colleague, your friend, or even your family? That's the core problem with the ongoing WhatsApp phishing attack that's been hitting users hard, especially in places like Malaysia, Brazil, and India. It's not just a technical attack; it's a social engineering masterclass that weaponizes your existing relationships.

The mainstream narrative focuses on the malware itself, but I think we need to talk about why people are still falling for this WhatsApp phishing attack. It's because the attackers aren't just sending random spam; they're compromising accounts first, then using those trusted connections to deliver the payload. That changes the whole dynamic.

How a "Financial Report" Becomes Remote Access

What we're seeing, as detailed by Kaspersky and Security Affairs, is a pretty slick operation that started picking up steam and is still active as of today, June 23, 2026. Attackers are getting into WhatsApp accounts – the exact method for that initial compromise is still unknown, which is a concern in itself. Once they're in, they send messages from the compromised account to the victim's contacts.

These messages are simple: just a file attachment, often with no accompanying text. The filenames are crafted to look like legitimate business or financial documents. Think "Statement of Debt(30K).vbs" or "Outstanding Payment List.vbs," localized into languages like Portuguese, French, German, and Malay. (I've seen similar tactics used in email campaigns for years, but WhatsApp adds a layer of perceived intimacy.)

WhatsApp phishing attack showing a malicious VBScript file attachment

Here's the attack chain once you open that VBScript file on a Windows PC, a common vector in this WhatsApp phishing attack:

  1. Initial Execution: You download and open the .vbs file. If you're using WhatsApp Desktop, it can execute directly via Windows Script Host (wscript.exe). On WhatsApp Web, you'd have to manually download it first.

  2. Staging: The VBScript creates a hidden working directory, usually C:\Users\Public\Documents\, and then fetches two more heavily obfuscated scripts from the attacker's servers. These scripts are a mess of randomized variable names, string concatenation, and junk content, sometimes even with fake Chinese Windows Update comments embedded. That's a clear sign of an attempt to make analysis harder.

  3. UAC Bypass: One of those downloaded scripts goes straight for User Account Control (UAC). It modifies Registry keys to disable UAC protections. It's not a one-shot deal; it runs in a loop with short delays, making sure that critical security barrier is down.

  4. Payload Delivery: The other script downloads a ZIP archive. This archive isn't some custom, zero-day malware. It's a pre-configured deployment package for a legitimate Remote Monitoring and Management (RMM) tool: ManageEngine Endpoint Central.

  5. Remote Access: ManageEngine Endpoint Central gets installed silently in the background. The key here is "pre-configured." It's set up to connect back to attacker-controlled management servers. This gives the attackers full remote administration access to your computer.

It's a classic move: use legitimate tools for illegitimate purposes. It helps them blend in, and it often bypasses traditional antivirus that might flag custom malware. Kaspersky's telemetry shows this hitting Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia, with a staggering 80% of confirmed victims in Malaysia.

The Real Cost of a Click

The practical impact is straightforward: if you open that file, your PC is no longer yours. Attackers have remote administration access. They can steal data, install more malware, use your machine for further attacks, or simply monitor your activity. This isn't some theoretical risk; it's a full system compromise.

What makes this WhatsApp phishing attack particularly insidious is the social engineering aspect. People are conditioned to trust messages from their contacts. When a file named "Outstanding Payment List.vbs" comes from a known business contact, the immediate thought isn't "malware," it's "I need to see this." This is where the "social problem before it is a security problem" sentiment I've seen on Reddit and Hacker News really hits home. Users are interacting with what appears to be a legitimate request from a trusted source.

The technical details, like the UAC bypass and the use of ManageEngine Endpoint Central, are important, but they're secondary to the initial compromise of trust in this WhatsApp phishing attack. The fact that WhatsApp Desktop can directly execute VBScript files via Windows Script Host also lowers the bar for entry compared to WhatsApp Web, which requires a manual download.

What We Do About It

Attribution is still low confidence, though Kaspersky did find some simplified Chinese comments in the scripts and infrastructure overlap with IPs previously linked to ValleyRAT and Gh0st RAT activity. That's a lead, but not a smoking gun.

So, what do we do?

First, assume compromise. If a message with an attachment, especially a script or executable file type (.vbs, .exe, .bat, .cmd, .js, .ps1), comes from anyone on WhatsApp, even a trusted contact, treat it with extreme suspicion, especially in light of this WhatsApp phishing attack.

Second, verify out-of-band. Before you open anything, call or text the sender through a different channel (not WhatsApp) to confirm they actually sent it. A quick phone call can save you a world of pain. (I know it sounds like a hassle, but it's a non-negotiable step now.)

Third, educate your users and yourself. This isn't just about "don't click." It's about understanding the psychology of these attacks. Explain why a trusted contact might send something malicious (because their account was compromised).

Fourth, technical controls still matter.

  • Antivirus: Keep your antivirus up-to-date and scan all downloaded files before opening them.

  • UAC: While attackers are bypassing it, UAC is still a layer of defense. Don't disable it manually.

  • Application Whitelisting: For organizations, consider implementing application whitelisting to prevent unauthorized executables and scripts from running. This would stop the VBScript and the RMM tool cold.

  • Endpoint Detection and Response (EDR): An EDR solution can detect the suspicious behavior of the VBScript fetching additional scripts, the UAC registry modifications, and the silent installation of RMM software, crucial for defending against this WhatsApp phishing attack.

Digital lock representing security against WhatsApp phishing attack

This WhatsApp phishing attack shows that attackers are constantly adapting, moving to platforms where trust is high and users might let their guard down. The lesson here is clear: trust is a valuable asset, and in cybersecurity, it's often the first thing exploited, as demonstrated by this WhatsApp phishing attack. We can't afford to be complacent, no matter who the message comes from.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.