WhatsApp VBScript Attack Installs ManageEngine RMM Tool

Emily Davis · 2026-06-23

A new wave of cyberattacks is hitting WhatsApp users, and it's cleverer than most. Scammers are sending direct messages that look like they contain important documents. But instead of a harmless PDF or Word file, you get a malicious Visual Basic Script (VBScript) file that quietly installs a legitimate Remote Monitoring and Management (RMM) tool called ManageEngine. This isn't some amateur operation. Security researchers at Kaspersky have uncovered an active campaign targeting people across the globe. The countries hit hardest so far include Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia. If you use WhatsApp Desktop or WhatsApp Web, you're in the crosshairs. ### How the Attack Works The trick is surprisingly simple. You receive a WhatsApp message from someone you might know—or at least a number that looks familiar. The message urges you to open an attached file, claiming it's an invoice, a contract, or some other important document. But when you click, you're not opening a document. You're running a VBScript that downloads and installs the ManageEngine RMM tool. Why would attackers install legitimate software? Because RMM tools are designed to give remote access and control over computers. IT teams use them for support and maintenance. But in the wrong hands, they become a backdoor into your system. Once ManageEngine is installed, attackers can monitor your activity, steal files, or even lock you out of your own machine. ### Who Is at Risk? This campaign is widespread. Kaspersky's data shows victims in at least nine countries, spanning Asia, the Americas, Europe, and Oceania. But here's the thing: anyone using WhatsApp Desktop or WhatsApp Web could be a target. The attackers aren't picky. They're casting a wide net. - **WhatsApp Desktop users** on Windows are especially vulnerable because the attack relies on executing a .vbs file. - **WhatsApp Web users** who click links or download attachments from messages can also fall victim. - **Mobile users** are less directly affected, but they might receive the same malicious messages and be tricked into switching to a desktop device. ### Why This Matters for You You might think, "I'd never click a random file from a stranger." But these attackers are sophisticated. They often impersonate someone you trust—a colleague, a friend, or a service provider. The messages are crafted to feel urgent or important. It's easy to let your guard down. Here's a quick reality check: legitimate companies almost never send important documents as attachments via WhatsApp. If you receive an unexpected file, especially one with a .vbs, .js, or .exe extension, pause. Verify with the sender through a different channel before opening anything. ### How to Protect Yourself Staying safe doesn't require a degree in cybersecurity. A few simple habits can make a huge difference. - **Never open unexpected attachments.** Even if the message looks real, confirm with the sender first. - **Enable two-step verification** on your WhatsApp account. This adds an extra layer of security. - **Keep your software updated.** Both WhatsApp and your operating system should be running the latest versions. - **Use an antidetect browser** when handling sensitive communications online. It helps mask your digital fingerprint and adds a layer of anonymity. - **Be skeptical of urgency.** Attackers love creating panic. Take a breath and think before you click. ### The Bigger Picture This campaign is a reminder that cybercriminals are always adapting. They're using legitimate tools to do illegitimate things. ManageEngine is a trusted RMM solution used by IT professionals worldwide. But here, it's weaponized. What makes this attack particularly dangerous is that it flies under the radar. Traditional antivirus software might not flag the installation because the RMM tool itself isn't malicious. It's what happens after—the remote access, the data theft, the ransomware—that causes the damage. ### Final Thoughts We live in a world where every link and attachment carries risk. But you don't have to live in fear. Stay informed, stay cautious, and trust your instincts. If something feels off, it probably is. Remember, the goal of these attackers is to get you to act without thinking. Don't let them. Take that extra moment to verify, and you'll stay one step ahead.