Compromised WhatsApp Accounts Deliver Obfuscated VBScripts Installing ManageEngine RMM Across 11 Countries

The infection begins with VBS files launched via WScript.exe from compromised contact lists. The script fetches two follow-on VBS payloads, one disabling UAC prompts and the second retrieving a ZIP containing the legitimate ManageEngine installer. Execution differs by client: WhatsApp Web requires manual launch from downloads while the Desktop client spawns WScript directly from WhatsApp.Root.exe. Kaspersky telemetry shows the highest density in Malaysia and infrastructure overlap at 202.61.160[.]201 with prior Gh0st RAT and ValleyRAT operations.

Contract and job-posting records indicate ManageEngine RMM is marketed to MSPs and internal IT teams precisely for remote endpoint control, creating a built-in legitimate binary that evades many endpoint products once installed. The campaign's use of Chinese-language comments mimicking Windows Update components suggests an actor familiar with supply-chain or update-server abuse patterns seen in earlier ValleyRAT incidents. No independent technical attribution beyond the shared IP has been published.

The operational pattern—leveraging already-trusted messaging accounts to deliver signed remote-administration tooling—reduces reliance on exploit code and increases dwell time. Defenders should baseline RMM agent installations against procurement records rather than signature detection alone. Expect continued rotation of file names in additional languages and possible expansion to other consumer messaging platforms that permit script attachments.

Next indicators will likely appear in procurement databases when threat actors purchase additional RMM licenses or MSP reseller accounts to scale distribution.