John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Two unrelated campaigns are treating WhatsApp as an attack platform right now.
Campaign one sends VBS files through WhatsApp messages. If a victim opens one, it silently bypasses UAC, renames legitimate Windows tools (curl becomes “netapi.dll,” bitsadmin becomes “sc.exe”) to dodge detection, downloads payloads from AWS, Tencent Cloud, and Backblaze, then installs AnyDesk for persistent remote access. Every component after the initial script is a legitimate tool. That’s what makes it nasty.
Campaign two is Italian surveillance firm SIO targeting roughly 200 WhatsApp users in Italy. No vulnerability exploited. Instead, targets get socially engineered into downloading a fake WhatsApp client containing spyware. The move to iOS capabilities signals that SIO’s government clients wanted iPhone access badly enough to fund the development.
Different actors, different goals, same lesson: organizations that spent years hardening email are watching attacks walk in through the messaging app side door. WhatsApp messages don’t pass through email gateways. Files don’t get sandboxed. Links don’t get rewritten.
What you can do: disable VBS execution via Group Policy (most orgs don’t need it), flag unauthorized remote access tools on endpoints, and only install apps from official stores. Most importantly, update your threat model. If your IR plan only covers email-borne threats, you’ve got a gap these campaigns are actively proving.