Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.
Meta says it caught and shut down fresh spear-phishing attempts linked to Israeli spyware maker NSO Group that tried to lure WhatsApp users into clicking malicious links leading to sites outside the app, mirroring the one-click attacks NSO has used to plant its Pegasus spyware. Meta also found and removed NSO-created test accounts and groups, and published the malicious domains involved. The company is now asking a US federal court to hold NSO in contempt for violating the permanent injunction issued last year barring it from targeting WhatsApp. High-risk users such as journalists, activists, and officials are the usual targets of this kind of mercenary spyware.
Italian digital forensics firm Forenser has documented an active zero-click WhatsApp account-takeover campaign targeting iPhone users on iOS 16. Victims (iPhone 8 through 14) reported messages requesting wire transfers being sent from their accounts to recent contacts, with no Linked Devices entries and no QR code interaction. Unified-log analysis shows continuous WhatsApp session-resync events - the signature of two endpoints competing for the same account, with the attacker bypassing the standard linked-device registration. The campaign exploits known iOS 16 vulnerabilities. Affected users do not see archived chats, suggesting the attacker has only recent-chat access. Forenser recommends upgrading to iOS 17 or later.
McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.