Fake work documents exploit trusted contacts to infect Windows devices worldwide.
Global, June 2026. A growing malware campaign is using WhatsApp messages to distribute malicious files capable of giving cybercriminals remote control of Windows computers. The attack has already been detected in countries including Mexico, Spain, Brazil, India and Malaysia. Victims receive attachments that appear to be invoices, financial reports or routine workplace documents. The messages often come from real contacts whose WhatsApp accounts were previously compromised.
The absence of suspicious text makes the message appear like a normal document exchange between colleagues, friends or relatives. Attackers also adapt the names of the attachments to the language and business practices of each target country. Common examples imitate account statements, debt confirmations and lists of pending payments. This personalised approach increases the likelihood that recipients will trust and open the files.
The dangerous attachment is actually a VBScript file identified by the .vbs extension. Once opened on a Windows computer, the script creates a hidden folder and downloads additional malicious components. These files modify the Windows Registry and attempt to disable User Account Control protections. The process weakens the operating system’s security before the attackers install remote-management software.
The campaign reportedly abuses ManageEngine Endpoint Central, a legitimate tool normally used by information technology teams to administer computers remotely. Cybercriminals configure the program to connect the victim’s device with infrastructure under their control. This connection can provide extensive access to files, applications and other resources stored on the computer. The legitimate nature of the software may also make the intrusion more difficult for victims to recognise.
Security specialists advise users never to open .vbs attachments received through WhatsApp, even when they appear to come from someone they know. Recipients should verify unexpected documents through another communication channel, preferably by calling the supposed sender directly. Downloaded files should also be scanned with updated security software before they are executed. Documents presented as invoices or reports should normally use familiar formats such as PDF or DOCX rather than executable scripts.
Companies should reinforce employee training on social engineering, impersonation and the risks associated with unexpected attachments. Keeping Windows and antivirus software updated can reduce exposure to known vulnerabilities and malicious activity. Users accessing WhatsApp from a computer should remain particularly cautious because the infection targets the Windows operating system. Investigators have not yet definitively attributed the active campaign to a specific criminal organisation.
Digital trust can become the attacker’s most effective weapon when a dangerous file arrives from a familiar contact.