WhatsApp Phishing Attack Uses Fake Business Documents to Compromise PCs
A sophisticated and ongoing malware campaign is actively targeting WhatsApp users across multiple countries, using deceptively crafted messages disguised as legitimate business documents. Once a victim interacts with these files, malicious VBScript code is executed on their system — ultimately handing attackers full remote access to the infected machine. This WhatsApp phishing attack represents a sharp escalation in the use of everyday messaging platforms as vectors for serious cybercrime.
Security researchers tracking the campaign have confirmed it is not limited to a single region. Users in Europe, Asia, Latin America, and the Middle East have all been identified among the victims, making this a genuinely global threat. If you use WhatsApp for personal or professional communication — and billions of people do — understanding this attack is not optional. It is essential.
How the WhatsApp Phishing Attack Works
At its core, this campaign relies on a time-tested tactic: social engineering. Attackers initiate contact through WhatsApp, presenting themselves as representatives of legitimate businesses. The messages are carefully worded to appear professional and urgent, often referencing contracts, invoices, purchase orders, or compliance documents that the recipient supposedly needs to review immediately.
The malicious payload is attached directly to the WhatsApp message in the form of a file. At a glance, the file appears to be a standard business document — a PDF, a spreadsheet, or a Word file. In reality, it is a VBScript (.vbs) file, a type of script native to Windows environments that can execute powerful system-level commands with minimal user interaction.
What Happens When the File Is Opened
When the victim opens the disguised file, the VBScript executes automatically on their Windows PC. The script typically performs several malicious actions in rapid succession. First, it establishes a connection to a remote command-and-control (C2) server controlled by the attackers. From there, additional malware payloads can be downloaded and installed silently in the background, often without triggering standard antivirus alerts during the initial stage.
The ultimate goal of the attack chain is remote access. Once the attacker has a persistent foothold on the victim's machine, they can monitor keystrokes, harvest credentials, access sensitive files, activate webcams and microphones, and even use the compromised system as a launchpad for further attacks within a corporate network. In a business context, a single employee clicking the wrong file can expose an entire organization.
Why VBScript Is a Preferred Tool for Attackers
VBScript has been a built-in feature of Windows operating systems for decades, which is precisely what makes it attractive to cybercriminals. Because it is a trusted, native Windows component, many security tools do not flag VBScript execution as inherently suspicious. Attackers exploit this implicit trust to slip past endpoint defenses that would otherwise catch more recognizable malware formats.
While Microsoft has been gradually disabling VBScript by default in newer versions of Windows, a large proportion of business users worldwide still operate on older configurations where the scripting engine remains fully active. This gives threat actors a wide and vulnerable attack surface to exploit, particularly in small and medium-sized businesses that may not have the IT resources to keep systems rigorously updated.
Why WhatsApp Is Increasingly Targeted
WhatsApp's enormous user base — exceeding two billion active users globally — makes it an irresistible channel for cybercriminals. Unlike email, which most people have been trained to treat with at least some degree of suspicion, WhatsApp messages tend to feel more personal and immediate. People are far more likely to open an attachment sent via a chat message than one arriving in an unfamiliar email.
The platform is also deeply embedded in business communication in many parts of the world. In regions across South America, Southeast Asia, the Middle East, and Southern Europe, WhatsApp is a standard tool for sharing contracts, receipts, invoices, and operational documents. Attackers understand this cultural and professional context and design their lures accordingly, tailoring the language and framing of their messages to match what recipients routinely expect to receive.
The Role of Impersonation in This Campaign
Researchers note that in several documented cases, attackers went beyond generic business pretexts. In some instances, they impersonated known suppliers, vendors, or even colleagues of the victim — suggesting that prior reconnaissance had taken place or that contact lists had been previously compromised. This level of personalization dramatically increases the likelihood of a successful infection, since the recipient has no immediate reason to question the authenticity of the message.
How to Protect Yourself and Your Organization
Defending against this type of WhatsApp phishing attack requires a combination of technical controls and user awareness. No single measure is sufficient on its own, but together they significantly reduce the risk of a successful compromise.
- Never open unexpected file attachments on WhatsApp, even from contacts you recognize. If a business associate sends you a document out of the blue, verify the request through a separate communication channel before opening anything.
- Check file extensions carefully. A file named "Invoice_2024.pdf.vbs" is not a PDF. Windows hides file extensions by default; enabling their display in File Explorer is a simple but important security step.
- Disable VBScript on Windows if it is not needed for legitimate business operations. Microsoft provides group policy settings that allow administrators to restrict or disable VBScript execution across managed devices.
- Keep your operating system and security software fully updated. Newer Windows configurations disable VBScript by default, and up-to-date endpoint protection tools are better equipped to detect the behavioral patterns associated with this type of attack.
- Implement security awareness training. Employees who understand how social engineering works are far less likely to fall victim to it. Regular, practical training that includes messaging-app scenarios is increasingly critical.
- Use endpoint detection and response (EDR) solutions that monitor for suspicious script execution and unusual outbound network connections, which are key behavioral indicators of this attack chain.
The Broader Threat Landscape
This campaign is part of a broader and accelerating trend of cybercriminals migrating their attack infrastructure away from traditional email-based phishing and toward mobile and messaging platforms. As organizations invest more heavily in email security gateways and spam filters, attackers adapt — moving to channels where defenses are less mature and users are less vigilant.
WhatsApp is not the only platform being exploited in this way. Similar campaigns have been documented on Telegram, Signal, and even LinkedIn. However, WhatsApp's unique combination of massive scale, cross-demographic reach, and deep integration into business workflows makes it a particularly high-value target. Security teams that have not yet extended their threat models to include messaging platforms are operating with a significant blind spot.
Final Thoughts
The WhatsApp phishing attack using fake business documents is a stark reminder that cyber threats continue to evolve, finding new paths into systems wherever human behavior can be exploited. The underlying technique — disguising malicious scripts as routine documents and relying on trust to get them opened — is not new. But its migration to a platform as widely used and inherently trusted as WhatsApp makes it newly dangerous for millions of users and organizations around the world.
Staying safe requires staying informed. Share this information with your team, review your endpoint security configurations, and treat every unexpected file attachment — on any platform — as a potential threat until verified otherwise. In today's threat environment, a moment of caution is always worth more than the time it takes to recover from a breach.