WhatsApp users on desktop and web platforms are being targeted by a new malware campaign that is spreading through compromised accounts, according to cybersecurity company Kaspersky. The security firm has identified a large-scale operation in which attackers use hijacked WhatsApp accounts to send malicious files disguised as legitimate business documents.
The campaign has already affected users across multiple countries, with Malaysia reporting the highest number of infections. Researchers believe the operation may also be targeting users in Europe and other regions.
Also read: Instagram Now Lets Users Post Photos in Comments, Making Conversations More Visual
Attackers Using Compromised WhatsApp Accounts
According to Kaspersky’s Global Research and Analysis Team (GReAT), cybercriminals are sending malicious attachments through WhatsApp Desktop and WhatsApp Web. Because the files are delivered from accounts that may belong to known contacts, recipients are more likely to trust and open them.
The malicious attachments are designed to look like ordinary business-related documents. File names often resemble invoices, bank statements, account summaries, debt notices, and other financial records commonly exchanged in professional communications.
By disguising malware as routine documents, attackers aim to increase the chances of users opening the files without suspicion.
Malware Hidden Inside VBScript Files
Kaspersky researchers found that the campaign primarily relies on malicious VBScript files. Once opened, these files initiate a multi-stage infection process that quietly downloads additional malicious components from external servers.
Fareed Radzi, a security researcher at Kaspersky GReAT, explained that opening the file triggers a hidden infection chain that retrieves and executes further malware without the user’s knowledge.
The scripts reportedly contain extensive comments and metadata designed to imitate genuine Microsoft Windows Update components, making them appear more legitimate and helping them evade suspicion.
Multiple Countries Affected
The malware campaign has been detected in several countries, including:
- Malaysia
- Brazil
- Singapore
- Taiwan
- Vietnam
Researchers noted that the malicious files use filenames in multiple languages, including English, Portuguese, French, German, and Malay. This suggests the attackers are targeting a broad international audience rather than focusing on a single region.
Malaysia currently accounts for the largest number of observed infections.
What Happens After the File Is Opened?
Once a victim opens the malicious attachment, the script creates a working directory on the device and begins downloading additional files from attacker-controlled infrastructure.
The malware then uses Windows Script Host to execute these components and establish remote access capabilities on the infected system. According to Kaspersky, the attackers are leveraging administrative tools that are normally intended for legitimate IT management and support purposes.
This allows cybercriminals to gain greater control over affected devices while remaining difficult to detect.
How Users Can Stay Safe
Kaspersky is advising WhatsApp users to exercise caution when receiving unexpected attachments, even if they appear to come from trusted contacts.
Users should avoid opening files with extensions such as:
- .vbs
- .vbe
- .exe
- .bat
- .cmd
- .js
- .ps1
unless their authenticity has been independently verified.
The cybersecurity company also recommends installing reliable security software on both computers and mobile devices to help detect and block malicious activity.
Growing Threat to Messaging Platforms
The latest campaign highlights how cybercriminals are increasingly exploiting trusted messaging services to distribute malware. Since messages often come from familiar contacts, users may be less cautious than they would be with suspicious emails.
As attackers continue to refine their tactics, security experts emphasize the importance of verifying unexpected files before opening them and remaining vigilant against social engineering attempts that exploit trust and familiarity.
Also read: WhatsApp Tests New Online Status Indicator and Advanced Backup Management Features on Android
Final Thoughts
The latest malware campaign targeting WhatsApp Desktop and WhatsApp Web users serves as a reminder that cybercriminals are constantly finding new ways to exploit trusted communication platforms. By disguising malicious files as invoices, bank statements, and other business-related documents, attackers are attempting to trick users into infecting their own devices.
Security experts recommend avoiding unexpected attachments, even if they appear to come from familiar contacts, as compromised accounts can be used to spread malware further. Verifying file authenticity, keeping security software updated, and exercising caution with executable or script-based files can significantly reduce the risk of infection.
As cyber threats continue to evolve, staying vigilant and following basic cybersecurity practices remains the best defense against malware attacks targeting popular messaging platforms like WhatsApp.
