Indonesian Political, Business & Finance News

Warning Issued Over Malware-Spreading WhatsApp Messages

| Source: CNBC Translated from Indonesian | Technology
Warning Issued Over Malware-Spreading WhatsApp Messages
Image: CNBC

Jakarta, CNBC Indonesia - Users of WhatsApp Web and WhatsApp Desktop are being urged to remain vigilant after cybersecurity researchers discovered malware spreading through direct messages on the platform. Kaspersky’s Global Research and Analysis Team (GReAT) uncovered the cyberattack campaign in June 2026, in which perpetrators used hacked WhatsApp accounts to send dangerous VBScript files to the victims’ contacts. Kaspersky has recorded victims in several countries and regions, including Malaysia, Brazil, Singapore, Taiwan, and Vietnam, with Malaysia having the highest number of identified cases. The use of multiple languages in the file names indicates that the attackers are also targeting users in various other regions, particularly Europe. According to Kaspersky, the messages containing the malicious attachments were sent from contacts already known to the victim. This method increases the likelihood of the recipient opening the file, as they believe the message comes from a trusted source. “In this scheme, the attacker exploits trust in messaging platforms by using compromised WhatsApp accounts to send malicious attachments that appear to come from known contacts, making recipients more likely to interact with them,” said Kaspersky GReAT Security Researcher Fareed Radzi in a written statement. The perpetrators disguised the dangerous files as common everyday business documents. Kaspersky found examples of file names resembling invoices, bank statements, account reports, payment records, and debt notices. Furthermore, the file names were crafted in various languages, including English, Portuguese, French, German, and Malay, to reach a broader range of targets. The VBScript samples used were even equipped with comments and metadata designed to mimic official Microsoft Windows Update components to avoid raising suspicion. Fareed explained that once the file is opened, the malware initiates a multi-stage infection chain. The file silently downloads and executes additional malicious components from an external server controlled by the attackers. “The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localised in multiple languages to support broad targeting. Once opened, the file triggers a phased infection chain that stealthily retrieves and executes additional malicious components from external infrastructure,” he stated. Kaspersky detailed that the initial stage of infection begins when the script creates a working directory in the C:folder. The malware then downloads an additional script from external infrastructure and executes it via Windows Script Host. The subsequent script performs various activities on the victim’s system and downloads a compressed archive containing remote monitoring and management software. Once installed, the malware allows the perpetrator to gain remote access to the victim’s system using administrative capabilities commonly employed for technical support and IT management. To avoid similar attacks, Kaspersky advises users not to carelessly open attachments received via WhatsApp, even if the message appears to come from a known contact. Users are also recommended not to open files with extensions such as .vbs, .vbe, .exe, .bat, .cmd, .js, or .ps1 before verifying their authenticity. Additionally, the use of security solutions on computers and mobile devices is considered essential to help detect and block malware infection attempts.

View JSON | Print