WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software. Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia,

The article describes a global malware campaign where attackers use compromised WhatsApp accounts to send malicious VBScript attachments masquerading as business or financial documents, primarily to WhatsApp Desktop and Web users.[1][4][5] Once opened, these scripts execute a multi-stage chain that weakens Windows User Account Control and silently installs a legitimate ManageEngine Endpoint Central (RMM) agent preconfigured to connect to attacker-controlled infrastructure, giving remote control over victim systems.[1][2][3][4] From a CyberSE.AI perspective, this is not an AI-driven attack but a software-abuse and supply-chain style misuse of legitimate RMM tooling; organizations embedding RMM or similar remote-control components into AI-enabled IT workflows should treat such agents as high-risk dependencies, maintain SBOM-level visibility, and enforce strict deployment, configuration, and monitoring controls. Security teams should also integrate detections for chat-delivered scripts, unusual RMM enrollment patterns, and unauthorized RMM configurations into their broader AI and IT operations security posture to prevent attackers from hijacking remote administration channels that may