Lily
Anne

WhatsApp Business Document Lures Install ManageEngine for Remote Access

Lily Anne

Jun 25, 2026

5 min read

WhatsApp Business Document Lures Install ManageEngine for Remote Access

TL;DR

A new WhatsApp phishing attack is targeting businesses with fake financial documents disguised as VBScript files. Once executed, the malware downloads legitimate remote administration software to give attackers persistent access to Windows devices. Organizations should strengthen phishing defense with application control, endpoint monitoring, and continuous compliance to stop these attacks before they spread.

A new WhatsApp phishing attack is exploiting trusted business conversations to compromise Windows endpoints. Instead of relying on suspicious links, attackers send fake financial documents through compromised WhatsApp accounts, making the messages appear to come from legitimate contacts. When recipients open the attached VBScript file, it silently downloads additional malware, weakens Windows security settings, and installs legitimate remote management software that attackers abuse for persistent access. As messaging platforms continue to play a larger role in workplace communication, organizations must prepare for phishing campaigns that combine social engineering with trusted administrative tools to evade traditional security controls.

WhatsApp phishing campaign abuses trusted business conversations

According to BleepingComputer, security researchers uncovered an ongoing malware campaign targeting WhatsApp users across multiple countries, including India, Brazil, Singapore, Australia, the United Kingdom, Spain, Mexico, Taiwan, Vietnam, Russia, and Malaysia. Instead of sending messages from newly created accounts, attackers distribute malicious attachments through compromised WhatsApp accounts, increasing the likelihood that recipients trust the sender.

The campaign relies on VBScript malware disguised as common business documents. File names are localized to resemble:

  • Financial reports
  • Billing statements
  • Payment notices
  • Account documents
  • Business invoices

Because these filenames closely resemble legitimate workplace documents, unsuspecting users may execute the attachment without questioning its authenticity.

How the attack installs remote access malware

The infection chain begins when the victim opens the malicious VBScript attachment on a Windows device. Although the script is heavily obfuscated to evade detection, it performs several malicious actions behind the scenes.

The malware first downloads additional scripts from attacker-controlled infrastructure. It then modifies Windows Registry settings to reduce User Account Control (UAC) protections, making it easier to execute additional payloads with fewer security prompts.

Next, the script downloads a ZIP archive containing ManageEngine Endpoint Central, a legitimate endpoint management solution widely used by IT administrators. Rather than deploying custom malware for remote control, attackers silently install and configure the software to communicate with servers under their control.

By abusing trusted remote administration software, attackers establish remote access malware capabilities without relying solely on traditional remote access trojans. This approach can make malicious activity more difficult to distinguish from legitimate administrative operations.

Researchers also observed overlaps between the campaign’s infrastructure and IP addresses previously associated with ValleyRAT and Gh0st RAT operations. While some artifacts contained Chinese-language elements, researchers noted that there is currently insufficient evidence to confidently attribute the campaign to a specific threat actor.

Why enterprises should take this attack seriously

This campaign demonstrates how modern phishing attacks increasingly combine social engineering with legitimate software to evade detection.

Once attackers gain remote access to a corporate endpoint, they may attempt to:

Potential attacker objective Business impact
Remote device control Persistent access to corporate systems
Credential theft Unauthorized access to enterprise accounts
Lateral movement Compromise of additional endpoints
Data staging and exfiltration Exposure of sensitive business information
Ransomware deployment Operational disruption and financial loss

Because employees frequently use WhatsApp Desktop or WhatsApp Web alongside corporate applications, a successful compromise on a Windows endpoint can provide attackers with an entry point into the enterprise environment.

Strengthen phishing defense with Hexnode

Organizations need layered controls that prevent malicious scripts from executing while rapidly detecting suspicious endpoint behavior.

Hexnode UEM helps reduce the attack surface by enabling organizations to:

  • Enforce application control to prevent unauthorized software execution.
  • Restrict access to unwanted or untrusted Windows applications using Blocklist/Allowlist rules based on store app, publisher, or file path.
  • Maintain Windows security configurations and compliance.
  • Deploy security patches that reduce exploitable vulnerabilities.

Remotely perform supported UEM actions such as locking, wiping, pushing OS updates, executing scripts, or uninstalling applications from the Hexnode console.

If an endpoint becomes compromised, Hexnode XDR helps security teams identify and respond to suspicious activity by detecting:

  • Malicious binary behavior, unauthorized process execution, or suspicious endpoint activity.
  • Abnormal outbound network connections.
  • Brute-force attempts.
  • Indicators of lateral movement across enterprise devices.

By combining preventive endpoint management with behavioral detection and rapid response, organizations can significantly reduce the impact of phishing campaigns that abuse legitimate administrative software.

Conclusion

This WhatsApp phishing campaign highlights how attackers continue to evolve beyond traditional email-based phishing. By combining compromised messaging accounts, deceptive business documents, obfuscated scripts, and legitimate remote administration software, threat actors create attacks that are both convincing and difficult to detect.

Organizations should strengthen their phishing defense by verifying unexpected file attachments, restricting script execution, governing approved remote access tools, maintaining device compliance, and deploying continuous endpoint detection capabilities. A layered security strategy remains the most effective way to prevent trusted messaging platforms from becoming an initial access vector for enterprise compromise.

FAQs

Legitimate remote administration tools are digitally signed and commonly used by IT teams, making them less likely to trigger security alerts than custom remote access trojans.

Yes. Many organizations reduce risk by restricting or disabling VBScript execution through Group Policy, Microsoft Defender Application Control (WDAC), AppLocker, or other application control policies.

Share

Lily Anne

Content writer at Hexnode. Fueled by good coffee and the occasional cat cuddle, I enjoy crafting content that informs, connects, and resonates. Nothing excites me more than knowing my words have been read, appreciated, and maybe even bookmarked.