WhatsApp VBScript Campaign Delivers ManageEngine RMM Tool via Fake Documents
What Happened — Threat actors are sending WhatsApp direct messages that contain malicious VBScript files masquerading as legitimate documents. When executed, the script silently installs the legitimate ManageEngine Remote Monitoring and Management (RMM) product, which can then be leveraged for espionage or ransomware deployment. The campaign, uncovered by Kaspersky, is active on WhatsApp Desktop and WhatsApp Web and targets users in Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan and Australia.
Why It Matters for Compliance & Audit Readiness
- The scenario tests the effectiveness of SOC 2 Access Control (CC6.1) and Security Awareness Training requirements – controls that must demonstrate that users cannot be tricked into executing unapproved code.
- Continuous evidence of policy enforcement (e.g., script‑blocking, RMM usage monitoring) is essential to prove due diligence during a SOC 2 audit.
- A breach stemming from this vector would expose gaps in incident‑response documentation and audit trails, undermining the “defensible audit” principle.
Who Is Affected — Enterprises that allow WhatsApp Web/Desktop for business communication, Managed Service Providers (MSPs) deploying RMM tools, and any organization with remote‑work policies that rely on employee‑installed software.
Recommended Actions
- Enforce application‑allow‑list policies that block execution of VBScript and other legacy script engines on corporate endpoints.
- Update security awareness curricula to include “WhatsApp‑based phishing” scenarios and simulate them regularly.
- Deploy endpoint detection that flags unauthorized installation of RMM binaries (e.g., ManageEngine).
- Log all RMM deployment events and retain them as audit evidence for SOC 2 control CC6.1.
Source: The Hacker News
Technical Notes — Attack vector: phishing via WhatsApp messages; payload: VBScript that runs msiexec to install ManageEngine RMM; no CVE disclosed; data types targeted are credentials and system access. Source: same as above