Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
Microsoft كتحذر من فيروس VBS كيوصل عبر WhatsApp وكيتحايل على حماية Windows UAC
Microsoft Issues Warning Over WhatsApp-Delivered VBS Malware Bypassing Windows UAC
TL;DR
Microsoft has identified a sophisticated malware campaign active since February 2026 that uses WhatsApp to distribute malicious VBS files. The attack chain utilizes "living-off-the-land" techniques, renamed Windows utilities, and cloud-hosted payloads to bypass User Account Control (UAC) and install remote access tools like AnyDesk.
The Microsoft Defender Security Research Team has issued a warning regarding a new, highly tactical campaign that leverages the popularity of WhatsApp to compromise Windows environments. Starting in late February 2026, researchers began tracking a multi-stage infection chain that begins with a simple script and ends with attackers gaining full remote control over victim systems.
Initial Access via WhatsApp
The attack begins when a user receives a malicious Visual Basic Script (VBS) file via a WhatsApp message. While the specific social engineering lures used to convince users to run the file remain unknown, the execution of this script kicks off a complex sequence designed to evade detection.
Upon execution, the VBS file creates hidden folders within C:\ProgramData. To blend into legitimate system activity, the malware drops renamed versions of standard Windows utilities:
- curl.exe is renamed to netapi.dll
- bitsadmin.exe is renamed to sc.exe
By renaming these "living-off-the-land" binaries, the threat actors can execute network commands and download further payloads without immediately triggering alarms that look for the use of those specific tools.
Exploiting the Cloud for Persistence
Once the initial foothold is established, the renamed binaries are used to fetch secondary payloads from trusted cloud storage providers, including:
- Amazon Web Services (AWS) S3
- Tencent Cloud
- Backblaze B2
Microsoft researchers noted that using legitimate cloud services makes the malicious traffic appear routine, increasing the likelihood of a successful infection. These secondary VBS files and malicious Microsoft Installer (MSI) packages are responsible for establishing long-term persistence on the host.
UAC Bypass and Privilege Escalation
The most critical stage of the attack involves tampering with Windows security settings. According to Microsoft, the malware attempts to weaken system defenses by targeting User Account Control (UAC).
The malware utilizes a combination of registry manipulation and constant elevation attempts to bypass UAC prompts. It continuously tries to launch cmd.exe with elevated privileges, modifying registry entries under HKLM\Software\Microsoft\Win. These actions allow the attackers to escalate their privileges without any direct user interaction.
The End Goal: Remote Access and Data Exfiltration
With elevated permissions secured, the attackers deploy unsigned MSI installers. These packages often contain legitimate remote management tools, such as AnyDesk.
By installing legitimate tools for malicious purposes, the threat actors ensure they have a persistent doorway into the victim's system. From this vantage point, they can:
- Exfiltrate sensitive data.
- Deploy additional malware.
- Monitor user activity.
"This campaign demonstrates a sophisticated infection chain combining social engineering, stealth techniques, and cloud-based payload hosting," Microsoft stated.
Conclusion
This campaign highlights a growing trend where attackers move away from custom-built malware in favor of "living-off-the-land" techniques and reputable cloud infrastructure. By abusing WhatsApp for delivery and renaming trusted Windows utilities, the threat actors significantly lower the barrier for a successful breach. Users are advised to remain vigilant regarding unsolicited files received via messaging apps and to monitor for unauthorized modifications to UAC settings.
Source: https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html
