{"id":24147,"date":"2026-04-23T10:00:02","date_gmt":"2026-04-23T03:00:02","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=24147"},"modified":"2026-06-23T14:55:08","modified_gmt":"2026-06-23T07:55:08","slug":"whatsapp-malware-campaign-delivering-vbs-payloads-and-msi-backdoors","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/whatsapp-malware-campaign-delivering-vbs-payloads-and-msi-backdoors\/","title":{"rendered":"WhatsApp malware campaign delivering VBS payloads and MSI backdoors"},"content":{"rendered":"<h2 id=\"executive-summary\"><span style=\"font-family: arial, helvetica, sans-serif\">Executive Summary<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In late February 2026, Microsoft Defender Experts detected a sophisticated attack campaign leveraging WhatsApp to distribute malicious Visual Basic Script (VBS) files to Windows users. Once a victim executes the file, a multi-stage infection chain is triggered, ultimately granting the attacker full system control via MSI backdoors. What makes this campaign particularly notable is its combination of\u00a0<strong>social engineering<\/strong>,\u00a0<strong>Living-off-the-Land (LotL) techniques<\/strong>, and\u00a0<strong>public cloud infrastructure<\/strong>\u00a0to evade security solutions.<\/span><\/p>\n<h2 id=\"threat-landscape\"><span style=\"font-family: arial, helvetica, sans-serif\">Threat landscape<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This campaign reflects a growing trend of abusing trusted communication platforms like WhatsApp to deliver malware. Rather than relying on traditional email phishing, attackers exploit the inherent trust users place in familiar messaging applications to lower their psychological defenses. Notably,\u00a0<strong>the lure content used to convince victims to open the VBS file has not yet been identified<\/strong>.<\/span><\/p>\n<h2 id=\"detailed-attack-chain\"><span style=\"font-family: arial, helvetica, sans-serif\">Detailed attack chain<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The campaign unfolds across four distinct stages, each building the foundation for the next:<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/04\/Detailed-Attack-Chain-1776740820.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-24149\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/04\/Detailed-Attack-Chain-1776740820.png\" alt=\"Detailed Attack Chain 1776740820\" width=\"936\" height=\"411\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/04\/Detailed-Attack-Chain-1776740820.png 936w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2026\/04\/Detailed-Attack-Chain-1776740820-700x307.png 700w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/a><\/p>\n<h3 id=\"stage-1-initial-access-via-whatsapp\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 1 &#8211; Initial access via WhatsApp<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">A malicious VBS file is sent directly through a WhatsApp message. Upon execution, the script:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Creates a hidden directory at\u00a0<code>C:\\ProgramData\\EDS8738<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Copies and\u00a0<strong>renames legitimate Windows tools<\/strong>:\u00a0<code>curl.exe<\/code>\u00a0\u2192\u00a0<code>netapi.dll<\/code>,\u00a0<code>bitsadmin.exe<\/code>\u00a0\u2192\u00a0<code>sc.exe<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The renamed files retain their original PE metadata (<code>OriginalFileName<\/code>), creating a detectable anomaly for EDR solutions<\/span><\/li>\n<\/ul>\n<h3 id=\"stage-2-cloud-payload-retrieval\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 2 &#8211; Cloud payload retrieval<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Using the renamed binaries with downloader flags, the malware connects to reputable cloud services to fetch secondary payloads:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>auxs.vbs<\/code>\u00a0and\u00a0<code>WinUpdate_KB5034231.vbs<\/code>\u00a0are hosted on\u00a0<strong>AWS S3<\/strong>,\u00a0<strong>Tencent Cloud<\/strong>, and\u00a0<strong>Backblaze B2<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">This technique makes malicious requests appear as normal system traffic, making it extremely difficult to distinguish from legitimate activity<\/span><\/li>\n<\/ul>\n<h3 id=\"stage-3-privilege-escalation-amp-persistence\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 3 &#8211; Privilege escalation &amp; persistence<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This is the most critical stage of the campaign:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The malware modifies the\u00a0<code>ConsentPromptBehaviorAdmin<\/code>\u00a0registry value to\u00a0<strong>disable UAC prompts<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">It repeatedly attempts to launch\u00a0<code>cmd.exe<\/code>\u00a0with elevated privileges, looping until successful or forcibly interrupted<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Persistence is written to\u00a0<code>HKLM\\Software\\Microsoft\\Win<\/code>\u00a0to survive reboots<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The entire privilege escalation process occurs\u00a0<strong>without any user interaction<\/strong><\/span><\/li>\n<\/ul>\n<h3 id=\"stage-4-final-backdoor-deployment\"><span style=\"font-family: arial, helvetica, sans-serif\">Stage 4 &#8211; Final backdoor deployment<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The final stage installs MSI packages that are\u00a0<strong>not digitally signed<\/strong>:<\/span><\/p>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Filename<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Description<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>AnyDesk.msi<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Impersonates legitimate remote control software, establishes persistent access<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>Setup.msi<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Generic backdoor installer<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>WinRAR.msi<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Impersonates a popular archiving tool<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>LinkPoint.msi<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Additional backdoor installer<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Through the fake AnyDesk installation, the attacker achieves\u00a0<strong>persistent remote access<\/strong>, enabling data exfiltration, additional malware deployment, or enrollment of the system into a botnet.<\/span><\/p>\n<h2 id=\"technical-analysis\"><span style=\"font-family: arial, helvetica, sans-serif\">Technical analysis<\/span><\/h2>\n<h3 id=\"mitre-attampck-mapping\"><span style=\"font-family: arial, helvetica, sans-serif\">MITRE ATT&amp;CK mapping<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Tactic<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Technique<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">ID<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Details<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Phishing via Messaging Platform<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1566<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">VBS delivered via WhatsApp<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Execution<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">User Execution: Malicious File<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1204.002<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Victim manually executes VBS<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Masquerading: Rename System Utilities<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1036.003<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">curl.exe \u2192 netapi.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Abuse of Trusted Cloud Services<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1102<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">AWS, Tencent, Backblaze<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Privilege Escalation<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Abuse Elevation Control: Bypass UAC<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1548.002<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Registry UAC bypass<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Persistence<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Registry Run Keys \/ Startup Folder<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1547.001<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">HKLM registry modification<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Command &amp; Control<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Remote Access Software<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">T1219<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">AnyDesk backdoor<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"evasion-highlights\"><span style=\"font-family: arial, helvetica, sans-serif\">Evasion highlights<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This campaign is particularly dangerous due to the simultaneous use of multiple evasion techniques. The combination of legitimate Windows binaries (LotL) with cloud hosting renders signature-based and domain reputation-based security solutions largely ineffective. Furthermore,\u00a0<strong>delayed execution<\/strong>\u00a0and staged delivery help bypass sandbox behavioral analysis systems.<\/span><\/p>\n<h2 id=\"indicators-of-compromise-iocs\"><span style=\"font-family: arial, helvetica, sans-serif\">Indicators of compromise (IoCs)<\/span><\/h2>\n<h3 id=\"sha-256-hashes-vbs-scripts-initial-stage\"><span style=\"font-family: arial, helvetica, sans-serif\">SHA-256 hashes &#8211; VBS scripts (Initial stage)<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Hash<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Description<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial VBS from WhatsApp<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial VBS from WhatsApp<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"sha-256-hashes-vbs-droppers-cloud-stage\"><span style=\"font-family: arial, helvetica, sans-serif\">SHA-256 hashes &#8211; VBS droppers (Cloud stage)<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Hash<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Description<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Script from cloud storage<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Script from cloud storage<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>5cd4280b7b5a655b611702b574b0b48cd46d7729c9bbdfa907ca0afa55971662<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Script from cloud storage<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Script from cloud storage<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"sha-256-hashes-msi-installers-final-payload\"><span style=\"font-family: arial, helvetica, sans-serif\">SHA-256 hashes &#8211; MSI installers (Final payload)<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Hash<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Description<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">MSI installer<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">MSI installer<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">MSI installer<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"urls-cloud-payload-hosting\"><span style=\"font-family: arial, helvetica, sans-serif\">URLs &#8211; Cloud payload hosting<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">URL<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Service<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>hxxps[:]\/\/bafauac.s3.ap-southeast-1.amazonaws[.]com<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Amazon S3<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>hxxps[:]\/\/yifubafu.s3.ap-southeast-1.amazonaws[.]com<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Amazon S3<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>hxxps[:]\/\/9ding.s3.ap-southeast-1.amazonaws[.]com<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Amazon S3<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>hxxps[:]\/\/f005.backblazeb2.com\/file\/bsbbmks<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Backblaze B2<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>hxxps[:]sinjiabo-1398259625[.]cos.ap-singapore.myqcloud.com<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Tencent Cloud<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 id=\"c2-domains\"><span style=\"font-family: arial, helvetica, sans-serif\">C2 domains<\/span><\/h3>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Domain<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Role<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>Neescil[.]top<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Command &amp; Control<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>velthora[.]top<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Command &amp; Control<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"hunting-queries-microsoft-defender-kql\"><span style=\"font-family: arial, helvetica, sans-serif\">Hunting queries (Microsoft defender \/ KQL)<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The following queries were provided by Microsoft to hunt for related activity:<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Detect malicious VBS script execution:<\/strong><\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-kql\">DeviceProcessEvents\r\n| where InitiatingProcessFileName has \"wscript.exe\"\r\n| where InitiatingProcessCommandLine has_all (\"wscript.exe\",\".vbs\")\r\n| where ProcessCommandLine has_all (\"ProgramData\",\"-K\",\"-s\",\"-L\",\"-o\", \"https:\")\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Detect next-stage VBS payload retrieval:<\/strong><\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-kql\">DeviceFileEvents\r\n| where InitiatingProcessFileName endswith \".dll\"\r\n| where InitiatingProcessVersionInfoOriginalFileName contains \"curl.exe\"\r\n| where FileName endswith \".vbs\"\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Detect malicious MSI installer drop:<\/strong><\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-kql\">DeviceFileEvents\r\n| where InitiatingProcessFileName endswith \".dll\"\r\n| where InitiatingProcessVersionInfoOriginalFileName contains \"curl.exe\"\r\n| where FileName endswith \".msi\"\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Detect outbound C2 communication:<\/strong><\/span><\/p>\n<pre><span style=\"font-family: arial, helvetica, sans-serif\"><code class=\"language-kql\">DeviceNetworkEvents\r\n| where InitiatingProcessFileName endswith \".dll\"\r\n| where InitiatingProcessVersionInfoOriginalFileName contains \"curl.exe\"\r\n| where InitiatingProcessCommandLine has_all (\"-s\",\"-L\",\"-o\", \"-k\")\r\n<\/code><button class=\"copy-code-button\" title=\"Copy code\" aria-label=\"Copy code\"><i class=\"fa-jelly fa-clipboard copy-icon\"><\/i><\/button><\/span><\/pre>\n<h2 id=\"mitigation-amp-recommendations\"><span style=\"font-family: arial, helvetica, sans-serif\">Mitigation &amp; recommendations<\/span><\/h2>\n<h3 id=\"endpoint-controls\"><span style=\"font-family: arial, helvetica, sans-serif\">Endpoint controls<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Restrict script hosts<\/strong>\u00a0in untrusted paths:\u00a0<code>wscript.exe<\/code>,\u00a0<code>cscript.exe<\/code>,\u00a0<code>mshta.exe<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Monitor renamed Windows binaries executing with anomalous flags, especially\u00a0<code>curl<\/code>\u00a0and\u00a0<code>bitsadmin<\/code>\u00a0downloader flags<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enable\u00a0<strong>EDR in block mode<\/strong>\u00a0to neutralize malicious artifacts even when antivirus does not detect them<\/span><\/li>\n<\/ul>\n<h3 id=\"network-amp-cloud-monitoring\"><span style=\"font-family: arial, helvetica, sans-serif\">Network &amp; cloud monitoring<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Audit and filter outbound traffic to public cloud services (AWS S3, Tencent Cloud, Backblaze B2) in enterprise contexts<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Block connections to known C2 domains:\u00a0<code>Neescil[.]top<\/code>,\u00a0<code>velthora[.]top<\/code><\/span><\/li>\n<\/ul>\n<h3 id=\"persistence-detection\"><span style=\"font-family: arial, helvetica, sans-serif\">Persistence detection<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Continuously monitor registry changes at\u00a0<code>HKLM\\Software\\Microsoft\\Win<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Alert on modifications to\u00a0<code>ConsentPromptBehaviorAdmin<\/code>\u00a0(indicator of UAC bypass)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Flag MSI package installations that lack valid digital signatures<\/span><\/li>\n<\/ul>\n<h3 id=\"user-awareness\"><span style=\"font-family: arial, helvetica, sans-serif\">User awareness<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Train employees\u00a0<strong>never to open attachments<\/strong>\u00a0(especially\u00a0<code>.vbs<\/code>,\u00a0<code>.js<\/code>,\u00a0<code>.bat<\/code>) received via messaging platforms such as WhatsApp &#8211; even from known contacts<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Establish a clear incident reporting process for suspicious messages or files received via any communication channel<\/span><\/li>\n<\/ul>\n<h3 id=\"microsoft-specific-recommendations\"><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft-specific recommendations<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enable\u00a0<strong>cloud-delivered protection<\/strong>\u00a0in Microsoft Defender Antivirus<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Activate\u00a0<strong>Tamper Protection<\/strong>\u00a0combined with\u00a0<code>DisableLocalAdminMerge<\/code><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enable\u00a0<strong>Attack Surface Reduction (ASR) rules<\/strong>\u00a0to block LotL techniques<\/span><\/li>\n<\/ul>\n<h2 id=\"microsoft-defender-detections\"><span style=\"font-family: arial, helvetica, sans-serif\">Microsoft defender detections<\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Tactic<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Observed Activity<\/span><\/th>\n<th><span style=\"font-family: arial, helvetica, sans-serif\">Detection Name<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Initial Access<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Malicious VBS downloaded via WhatsApp<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>Trojan:VBS\/Obfuse.KPP!MTB<\/code><\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Execution \/ Defense Evasion<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Renaming\u00a0<code>curl.exe<\/code>,\u00a0<code>bitsadmin.exe<\/code><\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>Suspicious curl behavior<\/code><\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Privilege Escalation<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\">Reading UAC settings, modifying registry<\/span><\/td>\n<td><span style=\"font-family: arial, helvetica, sans-serif\"><code>Trojan:VBS\/BypassUAC.PAA!MTB<\/code><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"analyst-assessment\"><span style=\"font-family: arial, helvetica, sans-serif\">Analyst assessment<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This campaign demonstrates a high level of sophistication, integrating multiple evasion layers within a single, cohesive attack chain. The abuse of globally trusted cloud services (AWS, Tencent, Backblaze) reflects an emerging trend of\u00a0<strong>&#8220;living off trusted services&#8221;<\/strong> &#8211; an evolution beyond traditional LotL techniques. While Microsoft has not publicly attributed this activity to a specific threat actor, the overall sophistication and use of AnyDesk as a persistent C2 mechanism strongly suggests this is the work of an <strong>organized APT group or professional cybercrime operation<\/strong>\u00a0targeting enterprises. This campaign serves as a critical reminder that\u00a0<strong>no platform is inherently safe<\/strong>, and enforcing a zero-trust policy toward all received files &#8211; regardless of the application used &#8211; is a non-negotiable requirement in today&#8217;s enterprise security posture.<\/span><\/p>\n<h2 id=\"tham-kho\"><span style=\"font-family: arial, helvetica, sans-serif\">References<\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/31\/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">WhatsApp malware campaign delivers VBScript and MSI backdoors<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.csoonline.com\/article\/4153092\/whatsapp-malware-campaign-uses-malicious-vbs-files-to-gain-persistent-access.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">WhatsApp malware campaign uses malicious VBS files to gain persistent access<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/thehackernews.com\/2026\/04\/microsoft-warns-of-whatsapp-delivered.html\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass<\/a><\/span><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><em><strong><span style=\"font-family: arial, helvetica, sans-serif\">Exclusive article by FPT expert<\/span><\/strong><\/em><br \/>\n<strong><span style=\"font-family: arial, helvetica, sans-serif\">Dinh Van Manh \u2013 FPT Information Security Center, FPT Corporation<\/span><\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":24148,"parent":0,"template":"","nang_luc":[821],"danh_muc_goc_nhin_so":[],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-24147","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/24147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/24148"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=24147"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=24147"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=24147"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=24147"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=24147"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=24147"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=24147"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=24147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}