HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

WhatsApp‑Delivered VBScript Campaign Installs Remote Monitoring Software Across Multiple Countries

Kaspersky reports a VBScript campaign spread through WhatsApp messages that installs legitimate Remote Monitoring and Management software on victims in at least ten countries. The incident underscores the importance of SOC 2‑aligned security‑awareness training and script‑execution policies for audit readiness.

LiveThreat™ Intelligence · 📅 June 22, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securelist.com

WhatsApp‑Delivered VBScript Campaign Installs Remote Monitoring Software Across Multiple Countries

What Happened – In June 2026 Kaspersky observed a malicious VBScript campaign spread through direct WhatsApp messages (Desktop and Web). The script, disguised with financial‑themed filenames, executes a multi‑stage chain that modifies UAC settings, downloads a ZIP file, and installs legitimate Remote Monitoring and Management (RMM) software, giving the attacker remote control of the victim’s system. The campaign has been seen in at least ten countries, with Malaysia reporting the highest number of victims.

Why It Matters for Compliance & Audit Readiness

- SOC 2 CC6.1 (Security) requires documented controls over user access and execution of untrusted code; this incident shows the risk when those controls are missing or not enforced.

- Continuous‑compliance programs must capture evidence of security‑awareness training and policy enforcement to demonstrate due diligence during an audit.

- Evidence of compromised third‑party accounts (WhatsApp) highlights the need for vendor‑access monitoring as part of a broader security‑awareness framework.

Who Is Affected – The campaign targets any end‑user of WhatsApp Desktop/Web, but the use of invoice‑style filenames suggests a focus on finance‑related personnel, small‑to‑medium enterprises, and SaaS users in regions including Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam.

Recommended Actions

- Update and enforce a policy that blocks execution of script files (e.g., *.vbs) from messaging platforms.

- Conduct targeted security‑awareness training that covers social‑engineering via instant‑messaging apps and the dangers of opening unexpected attachments.

- Enable application‑control solutions (e.g., Windows AppLocker or endpoint‑detection‑and‑response) to prevent unauthorized RMM installations.

- Monitor for anomalous RMM binaries and unusual UAC changes as part of continuous control monitoring.

Source: SecureList – WhatsApp VBS RMM Campaign

Technical Notes – The attack vector is a malicious VBScript delivered via WhatsApp messages (phishing). The script modifies UAC configuration, downloads a ZIP archive, and runs a secondary script that installs legitimate RMM software. No specific CVE is cited; the payload leverages native Windows scripting capabilities. Source: same as above

📰 Original Source
https://securelist.com/whatsapp-vbs-rmm-campaign/120290/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →