https://securelist.com/whatsapp-vbs-rmm-campaign/120290
A phishing campaign targeting WhatsApp users has been uncovered, in which attackers are distributing fake business documents through the platform to trick recipients into executing malware that compromises their Windows computers. The attack exploits the inherent trust that users place in document attachments received through WhatsApp, a platform increasingly used for professional and business communication alongside its more traditional personal messaging role, making recipients significantly less likely to apply the same level of scrutiny they might bring to an unexpected email attachment from an unknown sender. The campaign represents a continuation of a broader trend in which threat actors have shifted their initial access operations away from email-based phishing, where detection and filtering capabilities have matured considerably, towards messaging platforms where enterprise security controls are far less consistently applied and where the casual conversational context encourages faster and less cautious interaction with received files.
The attack chain begins when a target receives what appears to be a legitimate business document through WhatsApp, potentially styled as an invoice, contract, purchase order, or other commercially plausible file type designed to prompt the recipient to open it without undue suspicion. Once the victim opens or interacts with the document, malicious code is executed on their machine, establishing a foothold that gives the attacker varying degrees of control over the compromised system depending on the specific payload deployed. The use of business-themed lures is a deliberate social engineering choice, as professionally formatted documents carry an implicit legitimacy that personal or casual content does not, and recipients in workplace environments are conditioned to open and review business documents as a routine part of their daily responsibilities, lowering their defensive instincts at precisely the moment the attack relies upon them being lowered.
Individuals and organisations should treat document attachments received through WhatsApp with the same level of caution they would apply to email attachments, regardless of whether the sender appears to be known or trusted, as attackers frequently compromise or spoof legitimate accounts to add credibility to their lures. Organisations that permit or encourage the use of WhatsApp for business communication are being advised to implement clear policies around the handling of file attachments received through consumer messaging platforms, and to ensure that endpoint security controls are capable of detecting and blocking malicious payloads delivered through non-email channels. The broader lesson from campaigns of this nature is that as defenders have hardened traditional attack vectors, threat actors have demonstrated consistent agility in migrating to the communication channels where users are least prepared to encounter and recognise malicious content, making user awareness and cross-platform security hygiene increasingly essential components of any effective organisational defence posture.