Overview
- Kaspersky’s technical analysis published June 22–23 found an active campaign that uses compromised WhatsApp accounts to send heavily obfuscated .vbs files to contacts.
- When a victim opens the file the script runs a three‑stage chain that disables Windows UAC, downloads a ZIP containing ManageEngine Endpoint Central, and silently installs and configures the agent to connect to attacker‑controlled management servers.
- The messages use localized file names that mimic business documents and arrive from known contacts to exploit trust, with telemetry showing victims across multiple countries and roughly 80% of confirmed infections in Malaysia.
- Researchers observed one server IP (202.61.160.201) previously linked to ValleyRAT/Gh0st RAT activity but said the overlap is low‑confidence and does not provide firm attribution.
- Kaspersky and reporting outlets advise users not to open unexpected script or executable attachments, to verify files with senders by a separate channel, to scan downloads with updated antivirus, and to keep UAC and least‑privilege practices in place.