Microsoft Defender Security Research Team is warning the public about a new social engineering scam that has been targeting users since late February 2026. The scam arrives as a simple message on WhatsApp, but it carries a hidden danger designed to take over personal computers.
According to Microsoft researchers, the trouble starts when a user receives a message containing a Visual Basic Script (VBS) file. For your information, this is a type of computer code that can run various tasks on Windows. If a person clicks on this file, it starts a chain reaction that allows hackers to control the computer from a distance.
“The campaign relies on a combination of social engineering and living-off-the-land techniques. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution,” researchers wrote in Microsoft’s blog post.
Tactics to Bypass Security
People often feel safe using WhatsApp, so they might not think twice before opening an attachment, and once executed, the malware creates hidden folders in the C:ProgramData directory to hide its tracks. A particularly clever part of this attack involves renaming standard Windows tools to look like harmless files.
For example, a tool called curl.exe is renamed to netapi.dll, and another called bitsadmin.exe is disguised as sc.exe. By doing this, the hackers can download more viruses while appearing to be normal system activity.
Researchers noted that the malware retrieves these extra payloads from trusted cloud services like AWS S3, Tencent Cloud, and Backblaze B2, which makes the malicious traffic blend in with regular internet use.
Taking Full Control of Your PC
The goal of this attack is to gain administrative privileges, which means the hackers want the same power over the computer as the actual owner. Further probing revealed that the malware tries to change the User Account Control (UAC) settings, which is the security feature that usually asks for permission before a program makes changes. By modifying registry entries under HKLMSoftwareMicrosoftWin, the malware can silence these alerts and stay on the computer even after it is restarted.
In the final stage, the hackers install malicious software packages that look like regular installers, such as WinRAR.msi, Setup.msi, or AnyDesk.msi. “These installers enable attackers to establish remote access,” researchers explained in the blog post. This allows them to steal private data or use the infected computer for further attacks.
It is worth noting that these installers are unsigned; this means they lack a valid security certificate. To stay safe, Microsoft recommends being very careful with unexpected WhatsApp attachments and ensuring that your antivirus is always active.
Expert Commentary:
Sharing his insights with hackread.com, Yagub Rahimov, CEO of Polygraf AI, noted that this attack is built entirely on the trust we have in common tools and messaging apps.
“The attack chain here is built entirely around trust towards tools, cloud services, and messaging platforms… curl.exe becomes netapi.dll. bitsadmin.exe becomes sc.exe. Payloads come down from AWS, Tencent Cloud, and Backblaze B2 – infrastructure defenders are conditioned to allow, not inspect. Nothing in this chain looks wrong until it’s too late. WhatsApp makes it worse.”
Rahimov, whose company focuses on zero-trust solutions for national intelligence and defence, added that the use of personal apps on work devices is the real weak spot.
“A .vbs file delivered there bypasses DLP, email security, attachment scanning – the entire layer of controls enterprises have spent years building… The broader issue this campaign points to is simple: the threat perimeter expanded the moment employees started using personal messaging apps on work devices. Most security stacks haven’t caught up.”
