WhatsApp Phishing Attack Uses Fake Business Docs to Hack PCs—How to Protect Yourself
A new malware campaign is targeting WhatsApp users worldwide, using deceptive messages that push malicious VBScript files to compromise personal computers. Security researchers report that attackers are impersonating legitimate businesses—including banks, government agencies, and shipping companies—to trick victims into downloading and executing these scripts. Once installed, the malware grants remote access to hackers, potentially exposing sensitive data, financial records, and even corporate networks.
According to Kaspersky Lab, the campaign has been active since at least mid-2023, with a sharp increase in detections in the past three months. The messages often appear to come from trusted contacts or organizations, making them particularly difficult to spot. “This is a highly targeted and evolving threat,” says Malwarebytes Labs, which has tracked similar campaigns. “Attackers are leveraging the urgency of business communications to bypass security awareness training.”
Here’s what we know about the attack, how it works, and how to stay safe.
Key Details: A global phishing campaign is using WhatsApp to distribute fake business documents (invoices, contracts, or government notices) containing VBScript files. When opened, these files execute malware that creates a backdoor for remote access. Targets include individuals and small businesses in the U.S., Europe, and Asia. Security firms urge users to verify sender identities and avoid downloading unexpected files.
How the Attack Works: Fake Business Docs and VBScript Malware
The campaign follows a familiar but increasingly sophisticated phishing pattern. Attackers send WhatsApp messages that appear to come from a trusted source—such as a colleague, a bank, or a shipping company—with an urgent request to “view the attached document” or “click the link to verify your account.” The messages often include spoofed sender names or phone numbers to mimic legitimate contacts.
Once the victim opens the attachment—a seemingly harmless Word or PDF file—they are prompted to “enable macros” or “run a script” to view the content. In reality, this triggers the execution of a VBScript file, which then installs malware on the victim’s PC. According to Trend Micro, this malware can:
- Create a remote access trojan (RAT) to control the infected device.
- Steal login credentials, financial data, and personal information.
- Download additional malicious payloads from command-and-control servers.
- Spread laterally within corporate networks if the victim has access.
The use of VBScript is notable because it bypasses some traditional antivirus defenses. “VBScript is often overlooked by security tools because it’s not as commonly used for malware as PowerShell or batch scripts,” explains SecureWorks. “Attackers exploit this gap to evade detection until it’s too late.”
Who Is Being Targeted—and Why?
Initial reports indicate that the campaign is not random. Instead, attackers are focusing on:
- Small businesses and freelancers: Messages often impersonate invoices from suppliers, payment processors, or government agencies.
- Individuals with business contacts: Hackers spoof messages from colleagues or partners to exploit trust.
- Users in high-risk industries: Finance, logistics, and legal sectors are frequently targeted due to their handling of sensitive documents.
Security researchers at Cybersecurity News note that the campaign appears to be part of a broader trend: “Cybercriminals are increasingly using messaging apps like WhatsApp and Telegram to deliver malware because these platforms lack the same level of scrutiny as email.” Unlike email, which often triggers spam filters, WhatsApp messages are more likely to reach the inbox unchecked.
Real-World Examples: How Attackers Are Impersonating Legitimate Sources
To illustrate how convincing these messages can be, here are verified examples of the tactics used in recent campaigns:
Example 1: Fake Invoice from a Shipping Company
Message: “Hi [Name], please review the attached invoice for your recent order #12345. Payment is due within 48 hours.”
Attachment: A Word document named “Invoice_12345.doc” that prompts the user to “enable macros to view the full invoice.”
Source: Malwarebytes Labs
Why This Attack Is Particularly Dangerous
Unlike traditional email phishing, which often relies on poorly written messages and obvious red flags, this campaign leverages several factors that make it harder to detect:
- Trusted Platform: WhatsApp’s end-to-end encryption makes it seem more secure than email, so users are less likely to question messages.
- Urgency Tactics: Messages often include deadlines (“Payment due in 48 hours”) or threats (“Your account will be suspended”).
- Social Engineering: Attackers spoof contacts or use names of real businesses to build credibility.
- Technical Evasion: VBScript is less commonly scanned by antivirus tools, allowing the malware to bypass initial defenses.
According to SecureWorks, the malware used in these attacks can persist on a system for weeks, making it difficult to detect. “Once the backdoor is established, attackers can exfiltrate data slowly to avoid triggering alerts,” says the report.
How to Protect Yourself: Step-by-Step Guide
Security experts recommend the following precautions to avoid falling victim to this campaign:
- Verify the Sender: Even if a message appears to come from a known contact, call or message them through a separate channel (e.g., phone or email) to confirm the request.
- Never Enable Macros: Avoid opening attachments that require enabling macros, especially if they come from an unexpected source.
- Use Antivirus Software: Ensure your PC has up-to-date antivirus and anti-malware tools that can detect VBScript-based threats.
- Check File Extensions: Some malicious files may appear to be PDFs or Word documents but are actually VBScript files with hidden extensions.
- Monitor WhatsApp for Suspicious Activity: Be wary of messages that urge immediate action or contain urgent language.
- Enable Two-Factor Authentication (2FA): On both WhatsApp and your email accounts to add an extra layer of security.
For businesses, additional steps include:
- Training employees on recognizing phishing attempts, especially those delivered via messaging apps.
- Implementing endpoint detection and response (EDR) tools to monitor for unusual script execution.
- Restricting the execution of VBScript in corporate environments unless absolutely necessary.
What Happens Next: Updates from Security Firms
Security researchers are actively tracking this campaign, and several firms have issued advisories:
- Kaspersky Lab has added detection rules for the VBScript files used in these attacks and is monitoring for new variants.
- Malwarebytes recommends using its Premium antivirus to block these threats.
- Trend Micro has published a detailed analysis of the campaign’s infrastructure, including the command-and-control servers used to distribute the malware.
WhatsApp has not issued an official statement about this campaign, but the company’s security guidelines continue to advise users to avoid downloading unknown files and to report suspicious messages.
FAQ: Common Questions About the WhatsApp Phishing Attack
Most modern antivirus solutions can detect VBScript-based malware, but some may require updates to recognize the specific files used in this campaign. Independent tests show that leading providers like Bitdefender, Kaspersky, and Malwarebytes have high detection rates for these threats.
Disconnect from the internet immediately, run a full antivirus scan, and check for unusual processes in your task manager. If you suspect a breach, change passwords for critical accounts and monitor your financial statements for unauthorized activity.
WhatsApp has not publicly addressed this specific campaign, but the company has previously warned users about phishing risks and encourages reporting suspicious messages. Users can forward phishing attempts to WhatsApp’s official reporting channel.
Yes. Similar campaigns have been observed on Telegram, Facebook Messenger, and even SMS. Attackers often rotate platforms to exploit user trust in different channels. Recent reports indicate Telegram is also being used for similar VBScript-based attacks.
Key Takeaways: What You Need to Remember
- Trust but verify: Even messages from known contacts should be double-checked before acting on them.
- VBScript is a red flag: Avoid enabling macros or running scripts from unexpected sources.
- Urgency is a tactic: Legitimate organizations rarely demand immediate action via messaging apps.
- Update your defenses: Ensure antivirus software is current and consider additional layers like EDR tools for businesses.
- Report suspicious activity: Forward phishing messages to platform support or security researchers.
Next Steps: How to Stay Informed
To keep up with the latest developments in this campaign, follow these authoritative sources:
- Kaspersky Security Blog – Updates on malware trends and detection methods.
- Malwarebytes Labs – Real-time analysis of phishing campaigns.
- Trend Micro Threat Encyclopedia – Detailed breakdowns of attack vectors.
- CISA Alerts – U.S. government warnings on emerging cyber threats.
If you believe you’ve been targeted, report the incident to your local cybercrime unit or the FBI’s Internet Crime Complaint Center (IC3).
Have you encountered a similar phishing attempt? Share your experience in the comments below—or help others stay safe by spreading this guide. Stay vigilant, and prioritize security in your digital communications.