HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

WhatsApp Phishing Campaign Deploys VBS Malware to Install ManageEngine Remote Admin Tool Across Multiple Countries

A Kaspersky‑tracked campaign is using compromised WhatsApp accounts to send malicious VBScript files masquerading as business documents. When opened on Windows, the script disables UAC and installs ManageEngine Endpoint Central, granting attackers remote control. The incident underscores the need for robust security awareness training and endpoint protection in SOC 2‑aligned programs.

LiveThreat™ Intelligence · 📅 June 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

WhatsApp Phishing Campaign Deploys VBS Malware to Install ManageEngine Remote‑Admin Tool Across Multiple Countries

What Happened — Threat researchers at Kaspersky have observed a coordinated campaign that compromises WhatsApp accounts and uses them to send VBScript files disguised as business or financial documents. When a victim opens the file on a Windows PC, the script disables UAC, fetches additional payloads and silently installs ManageEngine Endpoint Central, giving the attacker remote administration rights.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 Access Control (CC6.1) requires documented user‑awareness training that covers phishing vectors, including non‑email channels such as messaging apps.
  • Continuous‑compliance programs must retain evidence that security‑awareness policies are tested and updated, providing a defensible audit trail.
  • Endpoint‑configuration controls (e.g., application whitelisting, UAC enforcement) are part of the Change Management and System Operations criteria; gaps here can be flagged during a SOC 2 audit.

Who Is Affected – Enterprises with remote workforces in technology, finance, professional services, and any sector where employees rely on WhatsApp for quick communication.

Recommended Actions

  • Expand your security‑awareness curriculum to include WhatsApp‑based phishing scenarios and conduct regular simulated attacks.
  • Enforce application‑control policies that block execution of VBS/WScript files from untrusted locations.
  • Deploy endpoint detection and response (EDR) capable of flagging unauthorized installations of remote‑admin tools.
  • Verify that UAC and registry hardening settings are enforced through configuration‑management tooling and are auditable.

Technical Notes – The attack chain starts with a compromised WhatsApp account delivering an obfuscated VBS file (named as invoices, billing statements, etc.). The script disables UAC via registry edits, downloads a ZIP containing ManageEngine Endpoint Central, and configures it to connect to attacker‑controlled servers. The campaign has been observed in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →