What Is an Autonomous SOC? From AI-Assisted to Self-Driving Security Operations

What Is an Autonomous SOC? From AI-Assisted to Self-Driving Security Operations

June 22, 2026
Rewterz

Active FortiBleed Campaign Targets FortiGate Devices

June 23, 2026

A VBScript Campaign Spread via WhatsApp Installing RMM Software – Active IOCs

Severity

High

Analysis Summary

Researchers have identified an active malware campaign leveraging WhatsApp direct messages to distribute malicious Visual Basic Script (VBScript) files that ultimately install legitimate Remote Monitoring and Management (RMM) software, granting attackers remote access to compromised systems.

The campaign primarily targets users of WhatsApp Desktop and WhatsApp Web across multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia has reported the highest number of victims.

Threat actors use deceptive file names that mimic legitimate business or financial documents, such as Financial Reports.vbs and Account Statement.vbs, to trick users into executing the files. Some samples are localized in multiple languages, highlighting the campaign's broad geographic targeting.

Analysis revealed that the VBScript files are heavily obfuscated and contain extensive comments designed to resemble legitimate Microsoft Windows Update components. Many of these comments are written in Chinese and reference Windows Update modules, certificate validation processes, system integrity checks, and deployment functions, likely to hinder analysis and evade detection.

Once executed through WScript.exe, the initial VBScript downloads additional malicious VBScript payloads from a remote server. One payload attempts to manipulate Windows User Account Control (UAC) behavior, while another downloads and executes a ZIP archive containing the installation package for ManageEngine RMM Central. The use of legitimate RMM software enables attackers to maintain remote access while blending into normal administrative activity.

The infection flow differs slightly between WhatsApp Web and WhatsApp Desktop. Web users must manually download and open the file, whereas WhatsApp Desktop may execute the script through the application's background process, WhatsApp.Root.exe, which launches WScript.exe.

Although attribution remains unclear, Kaspersky observed infrastructure overlaps with activity previously associated with Gh0st RAT and ValleyRAT campaigns. Users are advised to avoid opening unsolicited script or executable attachments, even when received from trusted contacts.

Impact

  • Unauthorized Access
  • Credential Theft
  • Data Theft and Exfiltration
  • Lateral Movement
  • Operational Disruption
  • Malicious Payload Execution

Indicators of Compromise

Domain Name

  • temu.baskwms.top
  • invoice.msopsa.top
  • qse.shoppes.help
  • shaaslong.one
  • baoxis.cc
  • baolongwes.oss-ap-southeast-1.aliyuncs.com
  • sdcwww.oss-ap-southeast-1.aliyuncs.com
  • baoyuw2s.s3.ap-southeast-1.amazonaws.com
  • sjdkjj23.s3.ap-southeast-1.amazonaws.com
  • xijkwm2.s3.ap-southeast-1.amazonaws.com
  • yifubafu.s3.ap-southeast-1.amazonaws.com
  • caiwuascw.s3.us-east-005.backblazeb2.com
  • facaia.s3.us-east-005.backblazeb2.com

IP

  • 202.61.160.202
  • 202.61.160.201
  • 202.61.160.137
  • 202.61.160.160
  • 202.61.160.208
  • 38.55.151.63

MD5

  • c7f38cbb99c8b74fa0465293feeba700
  • b7cd06c71465038b658a6dc1f273a507
  • 9f13c7b8ba391b2f597874e54d310648
  • 993f4c0cadbc769a4b0ed62a918db58d
  • 7f81c1bc8cfd588e8998968e2621456e
  • 7403cbcc5a9c32384d431856dc48fcc9
  • 68c16c46f8afb9e00bbaba0207fb0a46
  • 66442f2457eca8f47385b1fb2c6fcab8
  • 6359e6236471cbe434d0ef4c42b7f879
  • 5b6bbcc06cf08cc99e1afeda486d42fb

SHA-256

  • 1bbb72557fcaa408bfe02ef68dc1c6c4ced901a461be3f3754b0d2f691eee032
  • 4e2c296a386b54b3e8360d899afb10da87de403687754bba200fbf3afbb634ea
  • 586607815075bafbe7a868c658e0a5a43e959ebace304ddf3925fa8a6b2d5b6c
  • 69efbea795491bdac117a299f18977f1e2968a06e7cd3a11f6366169d7214b04
  • 30ded95156d23ea8911d76b07ac0e4dfc90d9f2ed94545775f355f118a2beb13
  • a34b77d553f35517efbe27d1afb966fa4e8819adf5decee8b7e496c84aea4260
  • 09cfe9dbd75095b17ccea62466ff128279e54a0d501587ec9c5b992b987b5784
  • 65662fbfee31784502f46a4ea3cf58a5146d6f6299b40391cd71c9fc67e3e621
  • 03402dbfc9ccfe612c37405bbcf072c9c07273fe4f77e82f8238a31d0040094d
  • b798fcbc54e84c03ac2b7be97d016d05f04cd754db36dd5c6cfbf3aedd0b7dff

SHA1

  • 282d534982002a43d2e8c18a2f589b40628829cf
  • 8feed8e6e580f850bdc2735cc74a6b11533ed927
  • 6df13658b646620dcb698ce7468b71e538cfcb48
  • ca3b7f7b30021cd2858b2881137a809e8079d975
  • dabc92cbf18b7f9511b71e91918abcea7dc22e8b
  • e9b0b10ec99380f1db343c1578375268a9a8d5ae
  • c5e9769460981ca109f2a61e89662288ff907b5d
  • 91da365db0c863d345f63dde71a876c94e40e944
  • 4b9d81d5385ecf9a2ee7f31212d8812db149e836
  • 099a857acff8065b966c6c390c723f3cce0a7963

Remediation

  • Block execution of script-based file types (VBS, VBE, JS, BAT, CMD, PS1) using application control policies.
  • Disable or restrict Windows Script Host (WSH) where business use is not required to prevent VBScript execution.
  • Monitor and alert on suspicious execution of WScript.exe and CScript.exe, especially from user download or temp directories.
  • Implement endpoint detection rules for WhatsApp Desktop spawning scripting engines or unusual child processes.
  • Restrict installation and use of unauthorized Remote Monitoring and Management (RMM) tools across enterprise endpoints.
  • Monitor for unexpected deployment of legitimate RMM software such as ManageEngine tools.
  • Enforce least privilege access to reduce impact of script execution and unauthorized software installation.
  • Enable and properly configure User Account Control (UAC) to prevent silent privilege escalation attempts.
  • Deploy email and messaging security awareness controls focusing on WhatsApp and other chat-based phishing vectors.
  • Train users to verify unexpected attachments even when received from trusted contacts.
  • Inspect and restrict outbound connections to unknown or newly registered domains associated with script downloads.
  • Use endpoint detection and response (EDR) to detect multi-stage script execution and payload retrieval behavior.
  • Maintain centralized logging for process creation, script execution, and network connections for threat hunting.
  • Regularly update OS, browsers, and security tools to reduce exploitation opportunities.
  • Isolate and investigate endpoints showing signs of unauthorized RMM installation or script execution.
  • Conduct threat hunting for WhatsApp-related file downloads and script execution patterns.
  • Block or sandbox WhatsApp file attachments where enterprise policy permits.
  • Ensure multi-factor authentication is enabled on WhatsApp accounts where applicable to reduce account takeover risk.
  • Perform periodic review of installed remote access tools across the environment.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.