Sophisticated malware distribution campaign
This campaign was discovered by Kaspersky's Global Research and Analysis Group (GReAT) in June 2026. Victims of this attack campaign were recorded in many countries and territories, including Malaysia, Brazil, Singapore, Taiwan (China) and Vietnam, of which Malaysia recorded the highest number of victims.
The use of file names in many different languages also shows that the campaign is being deployed on a large scale, especially in countries in the European region.
According to research results, the subjects behind the campaign took advantage of previously hacked WhatsApp accounts to spread attachments containing malware.
Bad actors have sent messages from contacts in the existing contact lists of these accounts, making it easy for recipients to trust and open files. After the malware is activated, the attacker can remotely access the system through management features designed for the purpose of supporting and managing legal technology.
Bad guys have used social engineering tricks to disguise malicious files in the form of familiar work documents such as payment invoices, bank statements, account statements, payment documents or debt statements to create a sense of trust and deceive victims.
The file name is also localized to many languages such as English, Portuguese, French, German and Malay, showing that the campaign is being implemented in many different language areas. In addition, VBScript file templates also contain large amounts of annotations and metadata to impersonate legal components of Microsoft Windows Update.
Mr. Fareed Radzi, a security researcher at Kaspersky GReAT, said: "In this campaign, attackers exploit the element of trust on messaging platforms by using seized WhatsApp accounts to send attachments with malware. Because these files are sent from familiar contacts, recipients are more likely to open them.
The file name is carefully camouflaged in the form of ordinary work documents such as invoices or payment notifications, and localized to many languages to expand the scope of the target. When opened, these files will activate a multi-stage infection chain, silently download and execute more malicious components from the infrastructure controlled by the attacker.
Advice
To avoid being infected with malware, cybersecurity experts have given recommendations to users:
- Be careful when receiving strange attachments via WhatsApp, even if they are sent from familiar contacts, because these files may contain malware and be executed on the device.
- Do not open script files or executable files such as .vbs, .vbe, .exe, .bat, .cmd, .js and .ps1 if their validity has not been independently verified.
- Use reliable security solutions on all computers and mobile devices. These solutions have the ability to warn and prevent infectious risks before they cause effects.
