Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: manageengine (1 article)Clear

WhatsApp malware spreads fake invoices that install remote-access admin tools

Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.

Check
Warn staff to treat unexpected document or invoice files sent over WhatsApp as suspect, even from known contacts, and watch for remote-management tools installed outside approved IT processes.
Affected
Windows users who receive and open script files sent through compromised WhatsApp contacts; the campaign is global, with most confirmed victims in Malaysia, and abuses legitimate remote-management software for access.
Fix
Verify unexpected files through a separate channel before opening, block script attachments, allowlist approved remote-management software and alert on unauthorized installs, and keep User Account Control enabled with endpoint protection active.