WhatsApp Account Hijack Enables Malware Distribution of Remote Management Tools Across 12 Countries
What Happened — Kaspersky’s June 2026 analysis uncovered an active campaign that compromises WhatsApp accounts, uses the contacts list to deliver malicious VBScript files, and silently installs legitimate Remote Monitoring and Management (RMM) software on victims’ PCs. The campaign has been observed in Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam and elsewhere.
Why It Matters for Compliance & Audit Readiness
- The attack exploits a lack of access‑control monitoring on personal messaging apps that are increasingly used for business communication – a gap SOC 2 Control CC6.1 (Logical Access) expects organizations to detect and log privileged account misuse.
- Successful RMM installation creates a persistent remote‑access channel, directly challenging the Security Incident Management criteria (CC7.1) and the need for continuous evidence of remediation.
- Demonstrating that you have Security Awareness Training and account‑takeover detection in place provides audit‑ready proof that the organization mitigates social‑engineering vectors that bypass technical controls.
Who Is Affected — Individuals and enterprises that rely on WhatsApp for internal or client communications, spanning sectors such as finance, professional services, retail, and technology across the listed regions.
Recommended Actions
- Review and tighten logical‑access policies for any corporate‑owned WhatsApp numbers; enforce MFA where possible.
- Deploy endpoint detection that flags unknown RMM binaries and monitors registry changes to UAC settings.
- Update security awareness curricula to include “messaging‑app account takeover” scenarios and simulate phishing via WhatsApp.
- Capture logs of account‑login anomalies and retain them as SOC 2 evidence of continuous monitoring.
Technical Notes – The VBScript payload creates a hidden directory under C:\Users\Public\Documents\, downloads additional obfuscated scripts, disables UAC via registry edits, and finally installs a legitimate RMM tool. File names are localized (e.g., “Statement of Debt(30K).vbs”) to increase credibility. The initial WhatsApp account compromise method remains undisclosed. Source: SecurityAffairs