A sophisticated phishing campaign targeting WhatsApp users is spreading across several countries.
WhatsApp Phishing Campaign Uses Fake Business Documents to Compromise PCs Across Multiple Countries

Researchers at cybersecurity firm Kaspersky have uncovered the ongoing operation, which leverages compromised WhatsApp accounts to distribute malicious files disguised as legitimate financial and corporate documents. The campaign has already been detected in numerous countries, including Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
Attackers Exploit Trust in WhatsApp Contacts
According to Kaspersky, the attacks begin when victims receive WhatsApp messages from contacts they know and trust. These contacts, however, have already had their accounts compromised by the threat actors.
Unlike traditional phishing attempts that include suspicious links or lengthy messages, the attackers send only a file attachment, making the communication appear more authentic and reducing suspicion among recipients.
The attached files are heavily obfuscated VBScript (VBS) files designed to appear as important business documents. File names often reference invoices, financial statements, billing records, payment confirmations, account notifications, or corporate reports—documents that recipients may feel compelled to review immediately.
Researchers noted that the filenames are customized in multiple languages, indicating that the campaign has been carefully tailored to target victims across different regions and industries.
Infection Begins with a Single Click
Once a victim downloads and executes the malicious VBS file, a multi-stage infection process is initiated. The script quietly performs several actions in the background, ultimately installing additional components that enable attackers to gain control of the compromised system.
One of the most notable aspects of the campaign is its use of legitimate software during the infection process. Attackers deploy ManageEngine Endpoint Central, a widely used enterprise IT management platform trusted by organizations around the world.
Endpoint Central is typically used by IT administrators to manage computers, deploy software updates, monitor devices, and perform remote administration from a centralized dashboard. By abusing this legitimate tool, threat actors can blend malicious activity with normal system operations, making detection more difficult for security teams.
The use of trusted software also helps attackers bypass some security controls that might otherwise flag unknown or suspicious applications.
Global Reach of the Campaign
Kaspersky’s telemetry data suggests that the operation is highly organized and geographically diverse. Security researchers observed infection attempts in countries spanning Asia, Europe, Latin America, and Oceania.
The broad distribution indicates that the attackers are not focused on a specific industry or region. Instead, they appear to be pursuing a large-scale opportunistic campaign aimed at individuals and businesses alike.
Cybersecurity experts believe the threat actors are exploiting the widespread popularity of WhatsApp, which has more than two billion users worldwide. Because people often trust messages received from friends, family members, colleagues, and business contacts, phishing attacks delivered through the platform can be particularly effective.
Growing Trend of Messaging-App-Based Attacks
The discovery highlights a growing trend among cybercriminals who are increasingly shifting phishing operations away from traditional email and toward messaging applications.
Security researchers have observed a steady rise in attacks delivered through platforms such as WhatsApp, Telegram, Signal, and other messaging services. These channels often benefit from higher engagement rates and lower user skepticism compared to email-based phishing campaigns.
By hijacking legitimate accounts, attackers can further increase the credibility of their messages and improve the likelihood that victims will interact with malicious content.
How Users Can Stay Protected
Security experts advise WhatsApp users to exercise caution when receiving unexpected file attachments, even if they appear to come from trusted contacts.
Users should verify unusual requests through a separate communication channel before opening files and avoid running script-based attachments such as VBS files. Organizations are also encouraged to implement endpoint security solutions capable of detecting suspicious behavior and to educate employees about emerging phishing tactics.
Enabling multi-factor authentication on WhatsApp accounts can also help reduce the risk of account compromise and prevent attackers from using hijacked accounts to target additional victims.
As cybercriminals continue refining their techniques, security professionals warn that phishing campaigns delivered through trusted messaging platforms are likely to remain a significant threat to both individuals and businesses worldwide.










