AbejaIT AbejaIT

WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

06.07.2026

Kaspersky detected an active cyberattack campaign in which criminals use WhatsApp to distribute malicious VBScript files disguised as documents. Once executed, the script installs a legitimate RMM tool (ManageEngine), giving attackers remote control over the victim's device. The campaign targets users in multiple countries including the UK, India, Brazil, and Singapore.

Attackers have long employed the living off the land method — using legitimate system and commercial tools to evade detection by antivirus systems. The latest campaign detected by Kaspersky provides further evidence that this tactic is evolving and reaching for new distribution channels. WhatsApp, widely used for both personal and business communication, is being leveraged as a carrier for malicious VBScript scripts disguised as working documents.

Infection Mechanism: Fake Document, Real Takeover

The victim receives a file through WhatsApp that appears to be a document (invoice, commercial offer, instruction) with an extension that looks like a PDF or DOCX at first glance. In reality, it is a VBScript (.vbs) file. Once executed, the script downloads and silently installs ManageEngine Remote Monitoring and Management — legitimate software used by IT administrators for remote computer management. The installation happens in the background, with no interface presented to the user.

After installation, attackers gain full access to the device through the ManageEngine panel: they can browse files, execute commands, install additional malware, and even grant themselves administrator privileges. Since ManageEngine is a legitimate tool used by companies worldwide, network traffic between the infected device and attacker servers may not raise suspicion from firewalls and DLP systems.

Why Is WhatsApp an Effective Attack Vector?

The effectiveness of this campaign stems from several factors. First, WhatsApp is widely perceived as a personal communication channel — users have lower vigilance about files received from friends or apparently familiar contacts. Second, the WhatsApp mobile app on Android and iOS automatically downloads media files, which can shorten the victim's reaction time. Third, VBScript is a native Windows interpreter that is available by default in most corporate environments and rarely blocked by system policies.

The campaign is particularly dangerous in environments where employees use WhatsApp to communicate with clients or business partners — common in SMEs and many service industries. The attack targets not technical system vulnerabilities, but the human factor — the tendency to open files sent by apparently credible contacts.

How to Protect Your Organization Against Such Threats

Protecting against social engineering and legitimate tool abuse requires a multi-layered approach:

  • VBScript blocking policies — many organizations can safely disable the VBScript interpreter through Group Policy or Windows Defender Exploit Guard, eliminating this attack vector.
  • RMM software management — using an allowlist of approved RMM tools and blocking unauthorized installations through MDM or endpoint management.
  • Employee training — raising awareness that VBS, WSF, JS, and other scripts received through messaging apps can be malicious, regardless of the apparent source.
  • Endpoint monitoring — EDR (Endpoint Detection and Response) capable of detecting anomalies in process behavior, such as background script-initiated software installation.
  • Network segmentation — restricting access to critical resources from unmanaged or unauthorized devices.

AbejaIT: Endpoint Security Management

Protecting employee devices from sophisticated social engineering attacks requires both appropriate technology and security processes and culture. AbejaIT offers support in IT infrastructure, including deployment and configuration of EDR systems, device management policies (MDM), and endpoint security audits.

Equally important is IT consulting to build security policies tailored to your organization — including rules for using messaging apps for business purposes, RMM tool access management, and incident reporting procedures. Contact us to discuss how to effectively secure your company's working environment against such threats.

Conclusions and Long-Term Protection

The VBScript/ManageEngine campaign reminds us that social engineering and abuse of legitimate tools remain among the most difficult vectors to block with purely technical means. Any software recognized as legitimate by security systems can become an attack tool if its installation is initiated by malicious code. This is why investing in security procedures and culture is just as critical as technical protection mechanisms.

Companies should develop clear policies regarding messaging app use for business purposes: which files can be shared via WhatsApp, which file types require verification before opening, and how to report suspicious messages to the IT team. Regular phishing exercises simulating attacks through mobile messaging apps increase employee resilience against real campaigns. MDM (Mobile Device Management) systems allow enforcing these policies at the device level, blocking software installation from non-approved sources regardless of how convincing a download request appears. The combination of technology, process, and awareness creates a multilayered defense that significantly complicates this type of campaign for attackers. Organizations that treat security awareness as an ongoing program — not a one-time training event — consistently demonstrate better security outcomes across all social engineering attack vectors.

Source: The Hacker News