TL;DR: On June 23, 2026, Kaspersky's Securelist disclosed an active malware campaign that uses WhatsApp Desktop and WhatsApp Web direct messages to deliver malicious VBScript files masquerading as business and financial documents. Once a victim opens the attachment, a multi-stage chain installs a legitimate, pre-configured ManageEngine Endpoint Central (UEMS) RMM agent that hands the attacker persistent remote access to the workstation, per The Hacker News. The campaign hit multiple countries with the highest victim density in Malaysia, Brazil, India, and Mexico - but the technique works against any NC SMB whose staff use WhatsApp for business chats with clients, vendors, or jobsite crews. Email security gateways do not see this. Modern endpoint policy does.
Key takeaway: The corporate email gateway you spent two years tuning is now bypassed - not by a clever phish, but by the same script delivered over WhatsApp instead. Your messaging policy is your perimeter.
Need an endpoint + messaging policy review before this hits an NC SMB on a Friday afternoon? Preferred Data Corporation runs managed cybersecurity and security awareness for NC small businesses. Call (336) 886-3282 or request a messaging-channel review.
What is the WhatsApp VBScript RMM campaign?
It is a multi-stage social-engineering attack that delivers a Stage 1 VBScript file as a WhatsApp Desktop / Web attachment, then walks the victim's machine through UAC modification and the silent installation of ManageEngine Endpoint Central - a legitimate, signed UEM/RMM agent - configured to phone home to the attacker, per SOCRadar and Securelist's analysis.
| Stage | What it does | Why it bypasses SMB tooling |
|---|---|---|
| 0. Delivery | WhatsApp Desktop / Web direct message with fake "invoice," "statement," "purchase order" attachment | Email gateway does not see it; user trusts the contact who sent it |
| 1. Stage 1 VBScript | Downloads two additional VBScript stages from attacker infrastructure | VBScript execution blocked by default? Most SMBs have not turned it off |
| 2. UAC manipulation | One sub-script edits Windows UAC settings to reduce elevation prompts | Standard user with no EDR sees no signal |
| 3. ZIP fetch + install | Other sub-script downloads ZIP containing ManageEngine Endpoint Central installer | The installer is legitimate and signed; allow-lists let it through |
| 4. RMM persistence | ManageEngine UEMS agent phones home pre-configured to attacker C2 | Attacker now has remote console, file transfer, command execution, persistence |
Per Kaspersky, Kaspersky attributes the campaign with low confidence to a Chinese-speaking operator based on Chinese-language code comments and infrastructure overlap (IP 202.61.160.201) with prior ValleyRAT and Gh0st RAT campaigns. The most affected territories are Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, and Vietnam - but the playbook does not stop at borders.
Quotable definition: RMM-tool abuse is the technique of installing a legitimate, signed remote monitoring and management agent (ManageEngine, ConnectWise, AnyDesk, Atera, Splashtop, etc.) on a victim machine to gain persistent remote access without triggering the alerts that an unsigned backdoor would. Per Huntress's 2026 report, RMM abuse incidents surged 277% in 2026.
Three facts an NC SMB owner should write down:
- Email security does not see WhatsApp deliveries. Your Microsoft Defender for Office 365, Proofpoint, Mimecast, or Barracuda gateway has no visibility into a WhatsApp Desktop direct message. The control surface that catches the same payload over email is bypassed by changing the messenger.
- ManageEngine is legitimate software. Per The Hacker News, the campaign installs a real, signed RMM agent. Allow-lists, signature-based antivirus, and certificate-trust pipelines all let it pass.
- The user is the attack surface, and the user trusts WhatsApp. A WhatsApp message from a known contact (vendor, customer, jobsite supervisor, the boss) is socially much higher-trust than a cold email. The same VBScript that gets ignored in email gets opened on WhatsApp.
Why does this hit NC SMBs specifically?
Because NC SMBs - manufacturers, construction firms, distributors, professional services, real estate, healthcare - have quietly let WhatsApp become the de-facto business chat for client communication, jobsite coordination, vendor messaging, and informal sales. Most have never written a policy that says "what you can and cannot do with WhatsApp on a corporate machine."
Realistic NC SMB exposure profiles:
- High Point furniture manufacturer coordinating with overseas suppliers and reps via WhatsApp because that is the supplier's preferred channel. A spoofed "supplier statement" PDF lands at 11pm and the day-shift planner opens it from WhatsApp Web on the production laptop the next morning.
- Greensboro construction or trades firm running WhatsApp groups for jobsite coordination. A spoofed "permit document" arrives in the group from a number that looks right. The PM opens it on the office machine.
- Charlotte professional-services firm that lets attorneys, accountants, or engineers message clients on WhatsApp because clients prefer it. A "signed engagement letter" from a known client name walks past the email gateway entirely.
- Piedmont Triad distributor or logistics firm running WhatsApp threads with truck drivers and field reps. A "BOL document" lands and the dispatcher opens it on the warehouse terminal.
The Huntress 2026 RMM tool abuse report documented a 277% surge in unauthorized RMM agent installation across SMBs. The WhatsApp VBScript campaign is one delivery vector feeding that pipeline. The realistic NC SMB-side question is not "are we targeted?" - it is "do we have endpoint detection that sees an unsanctioned ManageEngine agent installing on a workstation?"
Key takeaway: The defense is not "tell people not to open WhatsApp attachments." That conversation does not survive contact with the jobsite WhatsApp group. The defense is endpoint policy that blocks VBScript execution from messaging app temp directories, EDR that alerts on unsanctioned RMM agent installation, and a written messaging policy that names the approved channels.
What should an NC SMB do this month?
Run a seven-step plan. The campaign is active, the technique is documented, and the cost to deploy compensating controls is small.
- Block .vbs / .vbe / .js / .wsf execution from messaging app temp folders (this week). Group Policy / Intune AppLocker / Defender ASR rules can block script execution out of WhatsApp Desktop, Signal, Telegram, and similar temp paths. The user can still receive the file; the script cannot detonate.
- Allow-list the RMM tools your SMB actually uses (this week). Maintain a single, documented list (e.g., Atera, ConnectWise, NinjaOne) and detect-and-block installation of any other RMM agent - ManageEngine Endpoint Central included unless you own it.
- Turn on PowerShell + Script Block Logging + AMSI inspection. Most NC SMB tenants ship with these off. The Stage 1 VBScript chain is detectable when AMSI is engaged and the SOC has a rule for "script downloads two more scripts."
- Deploy behavior-based EDR with managed SOC (this month). Microsoft Defender for Endpoint P2, CrowdStrike Falcon, SentinelOne, or Huntress with active 24/7 monitoring. The legitimate signed installer evades signature AV; behavior-based detection catches the unsanctioned install + outbound RMM beacon pattern.
- Write a messaging-app policy (this month). Name the approved channels for business chat (Microsoft Teams, Slack, your CRM messaging), the approved exceptions (e.g., WhatsApp for international vendors only), the rule for opening attachments ("never on the corporate machine"), and the request channel for adding new platforms.
- Train staff against messaging-app social engineering specifically. Most security awareness curricula stop at email phishing. Add a 10-minute module that shows what a fake invoice on WhatsApp Web looks like. Per Securelist, social trust on WhatsApp is the unguarded surface.
- Enroll BYOD messaging on managed containers. If WhatsApp is unavoidable for business use, contain it through Intune App Protection Policies or equivalent so corporate-data access from the messaging app stays inside a wipeable container, separate from the personal phone's filesystem.
Key takeaway: The Q3 2026 NC SMB messaging defense plan is not "ban WhatsApp." It is "block script execution from messaging temp paths, allow-list RMM tools, deploy behavior-based EDR, write a messaging policy." Total deploy time inside 30 days for the average NC SMB.
How does Preferred Data Corporation help NC SMBs close the messaging-channel gap?
PDC runs managed cybersecurity, endpoint hardening, and security awareness for NC SMBs - the exact stack that catches WhatsApp-delivered VBScript chains. We bring three things to the June 23, 2026 disclosure:
- Managed cybersecurity services: Defender ASR rule deployment, AppLocker / script execution policy, PowerShell + AMSI logging, behavior-based EDR (Defender P2, Huntress), and 24/7 SOC monitoring of RMM agent installation events.
- Managed IT services: Intune device policy for messaging app temp paths, RMM tool allow-listing, application allow-listing with parent-process awareness, and BYOD container policies for personal messaging apps.
- Security awareness program: Quarterly training modules that include messaging-app social engineering, simulated WhatsApp-style attachment phishing, and quick-response runbooks for "I opened a message I should not have."
For NC manufacturers in High Point and the Piedmont Triad with overseas supplier chats, NC construction firms in Greensboro running jobsite WhatsApp groups, NC professional services firms in Charlotte messaging clients, and NC distributors using WhatsApp for field-rep coordination - the June 23, 2026 disclosure is the alarm that the email gateway is no longer the only inbound malware path.
Need help deploying ASR rules and RMM allow-listing before the next campaign? Call (336) 886-3282 or book a messaging-channel review.
Frequently Asked Questions
What is the WhatsApp VBScript RMM campaign?
It is an active malware campaign disclosed June 23, 2026 by Kaspersky's Securelist that delivers VBScript attachments through WhatsApp Desktop and WhatsApp Web. A successful infection ends with the silent installation of ManageEngine Endpoint Central (a legitimate UEM/RMM agent) pre-configured to give the attacker persistent remote access to the workstation.
Why is ManageEngine being installed by the attacker?
Per The Hacker News, the attacker uses ManageEngine Endpoint Central because it is a legitimate, signed RMM tool. Allow-lists, certificate-trust policies, and signature-based antivirus all permit the installer. Once running, the attacker has the same console-level access the IT team would have - file transfer, command execution, persistence - without dropping unsigned malware.
Does the email security gateway catch this?
No. The attachment is delivered through WhatsApp Desktop / Web, not through email. Microsoft Defender for Office 365, Proofpoint, Mimecast, Barracuda, and similar email gateways have no visibility into messaging app traffic. The defense moves to the endpoint: block script execution from messaging app temp paths, allow-list RMM tools, and behavior-based EDR.
Which NC SMBs are most at risk?
Any NC SMB whose staff use WhatsApp for business communication with vendors, clients, jobsite crews, or international suppliers. That includes manufacturers with overseas suppliers, construction and trades firms running jobsite groups, professional services firms messaging clients, distributors coordinating with drivers and reps, and SMBs with international customer bases. The technique works against any user who can be socially convinced to open a "business" attachment from a known contact on WhatsApp.
How do I block VBScript execution from WhatsApp Desktop on Windows?
Deploy a Defender ASR (Attack Surface Reduction) rule and AppLocker / Intune policy that prohibits cscript.exe and wscript.exe from executing files inside the WhatsApp Desktop temp paths (%LOCALAPPDATA%\WhatsApp and the OneDrive equivalent). The same policy should block Office macro execution from those paths and limit PowerShell script execution to signed scripts. Most NC SMB tenants can deploy this through existing Intune or Group Policy without new tooling.
How does this campaign relate to the 2026 RMM tool abuse surge?
Per Huntress's 2026 report, unauthorized RMM agent installations rose 277% in 2026 across SMB victims. The WhatsApp VBScript campaign is one delivery vector feeding that pipeline - alongside ClickFix social engineering, search-engine SEO poisoning, and help-desk vishing. The defensive response is the same: allow-list the RMM tools you actually own and detect-and-block every other installation.
Related Resources
- Managed Cybersecurity Services for NC Businesses - Endpoint policy, ASR rules, 24/7 SOC
- Managed IT Services for NC Businesses - Intune deployment and application allow-listing
- Huntress 2026: RMM Tool Abuse Surged 277% - Companion RMM abuse data
- Scattered Spider Insurance Help Desk Vishing - Companion social-engineering playbook
- Quishing QR Code Phishing Surge - Companion non-email phishing vector
- Contact Preferred Data Corporation - Messaging-channel review for NC SMBs