{"id":37537,"date":"2026-06-25T15:02:36","date_gmt":"2026-06-25T07:02:36","guid":{"rendered":"https:\/\/www.techbeatph.com\/wproot\/?p=37537"},"modified":"2026-06-25T15:02:47","modified_gmt":"2026-06-25T07:02:47","slug":"kaspersky-whatsapp-malware-desktop-campaign","status":"publish","type":"post","link":"https:\/\/www.techbeatph.com\/wproot\/kaspersky-whatsapp-malware-desktop-campaign\/","title":{"rendered":"Kaspersky Warns of WhatsApp Malware Campaign Targeting Desktop Users Across Multiple Countries"},"content":{"rendered":"<p>WhatsApp users are facing a new malware threat after cybersecurity firm <a href=\"https:\/\/www.kaspersky.com\/\">Kaspersky<\/a> uncovered a large-scale campaign that uses compromised accounts to distribute malicious files disguised as business documents.<\/p>\n<p>The campaign, discovered in June 2026 by <a href=\"https:\/\/www.techbeatph.com\/wproot\/kaspersky-ai-malware-attacks-2026-report\/\">Kaspersky\u2019s<\/a> Global Research and Analysis Team (GReAT), primarily targets users of WhatsApp Desktop and WhatsApp Web. Researchers identified victims across several countries, including Malaysia, Brazil, Singapore, Taiwan, and Vietnam, with Malaysia recording the highest number of observed infections.<\/p>\n<h4>Compromised WhatsApp Accounts Used to Spread Malware<\/h4>\n<p>According to <a href=\"https:\/\/www.techbeatph.com\/wproot\/kaspersky-password-security-study-2026\/\">Kaspersky<\/a>, attackers gain access to existing WhatsApp accounts and use them to send malicious attachments directly to contacts.<\/p>\n<p>Because the messages originate from familiar contacts, recipients are more likely to trust and open the files. The campaign relies heavily on social engineering, disguising malicious VBScript files as routine business documents to avoid suspicion.<\/p>\n<p>Researchers observed filenames masquerading as invoices, bank statements, account statements, payment records, and debt notices. To broaden the campaign\u2019s reach, the attackers also localized filenames into multiple languages, including English, Portuguese, French, German, and Malay.<\/p>\n<p>The use of trusted accounts combined with region-specific lures highlights how cybercriminals continue to adapt phishing and malware distribution tactics to increase credibility and improve the likelihood of successful infections across different markets.<\/p>\n<h4>Malware Disguised as Legitimate Windows Components<\/h4>\n<p><a href=\"https:\/\/www.techbeatph.com\/wproot\/kaspersky-compromised-credential-theft\/\">Kaspersky<\/a> noted that the malicious VBScript files contain extensive comments and metadata designed to resemble legitimate Microsoft Windows Update components.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-37538\" src=\"http:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93-1024x497.webp\" alt=\"\" width=\"640\" height=\"311\" srcset=\"https:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93-1024x497.webp 1024w, https:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93-300x146.webp 300w, https:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93-768x373.webp 768w, https:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93-1536x746.webp 1536w, https:\/\/www.techbeatph.com\/wproot\/wp-content\/uploads\/2026\/06\/picture1-q93.webp 1600w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>Once opened, the attachment launches a multi-stage infection chain. The script creates a working directory on the victim\u2019s computer and downloads additional files from attacker-controlled infrastructure. These files then execute through Windows Script Host and retrieve a compressed archive containing remote monitoring and management software.<\/p>\n<p>While such tools are commonly used for legitimate IT administration, threat actors can abuse them to gain unauthorized remote access to compromised systems.<\/p>\n<h4>Multi-Stage Attack Enables Remote Access<\/h4>\n<p>The infection process follows several steps designed to avoid detection while establishing persistent access to the victim\u2019s system.<\/p>\n<p>Once the malicious file is executed, the malware creates a working folder on the device, downloads additional scripts from external servers, and launches follow-up payloads through Windows Script Host. It then retrieves a compressed archive and installs remote monitoring and management software, ultimately giving attackers the potential to control the compromised system remotely.<\/p>\n<p>According to Kaspersky, the campaign combines technical malware delivery with social engineering tactics. Fareed Radzi said the attackers exploit trust within messaging platforms by leveraging compromised WhatsApp accounts and familiar contacts, increasing the likelihood that recipients will interact with malicious files.<\/p>\n<p>The campaign highlights how threat actors are increasingly pairing trusted communication channels with malware distribution techniques, making user awareness and caution just as important as technical security defenses.<\/p>\n<h4>Why the Campaign Matters<\/h4>\n<p>The discovery highlights a growing trend in cybercrime where attackers increasingly use messaging platforms rather than traditional email phishing campaigns.<\/p>\n<p>By leveraging compromised WhatsApp accounts, threat actors bypass some of the skepticism users typically apply to unsolicited messages. The approach also allows malware operators to reach targets through trusted communication channels.<\/p>\n<p>The campaign further demonstrates how attackers continue to adapt social engineering tactics for regional audiences through localized filenames and language-specific lures.<\/p>\n<h4>Kaspersky&#8217;s Security Recommendations<\/h4>\n<p>To reduce the risk of infection, Kaspersky recommends that users remain cautious when receiving unexpected attachments, even if they appear to come from known contacts.<\/p>\n<p>The company advises verifying files before opening them and avoiding script or executable file types unless their legitimacy has been confirmed. Users should be particularly wary of attachments with extensions such as .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1, as these can be used to execute malicious code.<\/p>\n<p>Kaspersky also recommends using up-to-date security software capable of detecting and blocking suspicious activity before it can compromise a device.<\/p>\n<p>As cybercriminals increasingly weaponize trusted messaging platforms such as WhatsApp, security experts emphasize that user vigilance remains one of the most effective defenses against malware campaigns distributed through social networks, messaging services, and other digital communication channels.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WhatsApp users are facing a new malware threat after cybersecurity firm Kaspersky uncovered a large-scale campaign that uses compromised accounts to distribute malicious files disguised as business documents. The campaign, discovered in June 2026 by Kaspersky\u2019s Global Research and Analysis Team (GReAT), primarily targets users of WhatsApp Desktop and WhatsApp Web. Researchers identified victims across&#8230;<\/p>\n","protected":false},"author":119,"featured_media":35713,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[23199,23634],"tags":[5770,23200,28195,28193,28191,28192,28190,28189,28188,28194],"class_list":["post-37537","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-technology","tag-cybersecurity","tag-kaspersky","tag-kaspersky-great","tag-malware-campaign","tag-remote-access-malware","tag-social-engineering","tag-vbscript-malware","tag-whatsapp-desktop","tag-whatsapp-malware","tag-windows-security"],"_links":{"self":[{"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/posts\/37537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/users\/119"}],"replies":[{"embeddable":true,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/comments?post=37537"}],"version-history":[{"count":1,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/posts\/37537\/revisions"}],"predecessor-version":[{"id":37539,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/posts\/37537\/revisions\/37539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/media\/35713"}],"wp:attachment":[{"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/media?parent=37537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/categories?post=37537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.techbeatph.com\/wproot\/wp-json\/wp\/v2\/tags?post=37537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}