CERT-In Warns WhatsApp Web Users of VBScript Malware Campaign
India's cybersecurity agency, CERT-In, has issued an urgent warning regarding a large-scale malware campaign targeting WhatsApp Web and Desktop users. The campaign distributes malicious Visual Basic Script (VBScript) files via direct messages, which, if opened, can grant attackers unauthorized access to devices and sensitive data. Users are advised to exercise extreme caution with unexpected attachments, even from known contacts.
Key Highlights
- CERT-In warns of a malware campaign targeting WhatsApp Web and Desktop.
- Malicious VBScript files are distributed via direct messages on WhatsApp.
- Attackers exploit compromised accounts to make malicious messages seem credible.
- Opening infected attachments can lead to unauthorized device access and data theft.
- Users are urged to verify unexpected attachments before opening them.
The Indian Computer Emergency Response Team (CERT-In) has issued a critical advisory warning users of WhatsApp Web and WhatsApp Desktop about a widespread malware campaign. This campaign is actively distributing malicious Visual Basic Script (VBScript) files through direct messages on the platform, posing a significant threat to user data and device security. The advisory, dated June 25, 2026, highlights that attackers are exploiting already compromised WhatsApp accounts to send these malicious files to the victim's existing contacts. This tactic leverages the trust inherent in communications from known individuals, making recipients more likely to open the infected attachments. The campaign, based on findings from cybersecurity firms Kaspersky and Securelist, targets users of the web and desktop versions of WhatsApp specifically. If a VBScript file is executed successfully, it can grant cybercriminals unauthorized remote access to the infected device. This access allows them to steal sensitive information, including login credentials for fraudulent purposes, install further malicious software, spread the infection across a user's network, and potentially disrupt business operations, leading to financial losses. The malicious files are often disguised as legitimate business or financial documents, with deceptive file names such as "Financial Reports.vbs" or "Account Statement.vbs." Some samples have also been found with localized names in various languages, indicating a broad international targeting effort. The attack chain involves users downloading and opening these disguised VBScript files. Once executed, the script can lead to the installation of legitimate Remote Monitoring and Management (RMM) tools, such as ManageEngine Endpoint Central, which then provide attackers with persistent remote access. This sophisticated approach, combining social engineering with the abuse of legitimate software, makes the malware difficult to detect. CERT-In strongly advises users to exercise extreme caution and to "do not open attachments you were not expecting, even if they come from a friend, colleague, or family member." To mitigate the risk, users are recommended to verify suspicious attachments by contacting the sender through an alternative communication channel, such as a phone call or a different messaging app. Additionally, maintaining updated software for WhatsApp Desktop, web browsers, and operating systems, along with using reputable antivirus and endpoint security software, are crucial preventative measures. The advisory also points out that this is not the first cybersecurity warning issued by CERT-In in recent times, with previous advisories concerning AI-driven cyberattacks and the need for tighter security compliance norms for device manufacturers. The growing trend of using messaging platforms for malware distribution underscores the importance of user vigilance as a critical layer of defense against evolving cyber threats. The campaign has been observed to target users across various countries, including India, Malaysia, Brazil, and several others in Europe and Asia. While Malaysia has reported the highest concentration of victims, the global reach suggests a widespread threat. The Indian government's focus on cybersecurity is increasing, with CERT-In playing a pivotal role in issuing alerts and advisories to protect citizens and businesses. The agency has also been implementing stricter cybersecurity norms for various entities, reflecting the rising sophistication and frequency of cyberattacks. The nature of this attack, which exploits user trust and disguised malicious files, highlights the need for continuous education on safe online practices. Users are advised to be skeptical of any unsolicited or unusual attachments, regardless of the perceived sender. Immediate action to verify and report suspicious activity can significantly help in preventing the spread of such malware and protecting personal and organizational data. The advisory serves as a crucial reminder for individuals and businesses alike to bolster their cybersecurity posture and remain vigilant in the face of persistent cyber threats targeting widely used communication platforms like WhatsApp. The estimated read time for this article is 5 minutes.
Frequently Asked Questions
What is the primary threat highlighted by CERT-In's advisory?
CERT-In's advisory warns of a large-scale malware campaign targeting WhatsApp Web and Desktop users, where malicious VBScript files are distributed via direct messages, potentially leading to unauthorized device access and data theft.
How are attackers distributing this malware?
Attackers are using compromised WhatsApp accounts to send malicious VBScript files as attachments through direct messages. This leverages the trust users have in known contacts to increase the likelihood of the attachment being opened.
What are the potential consequences of falling victim to this malware campaign?
If the malware is executed, cybercriminals can gain remote access to the infected device, steal login credentials for fraudulent use, install further malicious software, spread the infection, and disrupt business operations, leading to financial losses.
What precautions should WhatsApp Web and Desktop users take?
Users should be extremely cautious and avoid opening unexpected attachments, even if they appear to come from known contacts. It is recommended to verify suspicious attachments by contacting the sender through an alternative channel.
Is this threat specific to India, or is it global?
While CERT-In's advisory is specific to India, the malware campaign has been observed targeting users in multiple countries globally, indicating a widespread threat.