WhatsApp VBScript installs ManageEngine RMM for LotL remote control

Kaspersky documented (2026-06-22) a globally active campaign distributing heavily obfuscated VBScript via compromised WhatsApp Desktop / Web accounts, with financial-themed document lures in multiple languages (Kaspersky Securelist, 2026-06-22; The Hacker News, 2026-06-23). The three-stage chain: a stage-1 VBScript creates working directories and fetches payloads via curl/bitsadmin/certutil/PowerShell; stage 2 disables UAC consent by writing ConsentPromptBehaviorAdmin=0 to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and strips Zone.Identifier ADS; stage 3 silently installs a preconfigured ManageEngine Endpoint Central RMM agent via msiexec pointed at attacker-controlled infrastructure. Kaspersky attributes the activity only with low confidence to a Chinese-speaking operator, on the basis of Simplified-Chinese code comments and C2 infrastructure overlapping prior ValleyRAT / Gh0st RAT activity — the claim, not a firm attribution. Victims are concentrated in Malaysia (~80%) with clusters including the UK and Spain.

Why it matters to us: Abuse of a legitimate, signed RMM agent (T1219) is the operational point — there is no bespoke implant to signature, and ManageEngine Endpoint Central is plausibly already whitelisted in many estates. Mapped to T1566.001 (spearphishing attachment, via WhatsApp), T1059.005 (VBScript), T1112 / T1548 (UAC-bypass registry write), T1105 (ingress tool transfer). Detection: msiexec.exe /quiet parented by wscript.exe/cscript.exe; writes to ...\Policies\System\ConsentPromptBehaviorAdmin; certutil -decode or bitsadmin in a script context; and ManageEngine DCAgentService.exe appearing on a host with no corresponding IT-provisioning change ticket. RMM-agent abuse is a well-worn precursor to hands-on-keyboard intrusion and ransomware staging.

Meta disclosed it detected and disrupted a new spear-phishing campaign linked to NSO Group's Pegasus operation, and filed a federal contempt-of-court complaint arguing the activity violates the 2025 permanent injunction barring NSO from targeting WhatsApp or its users (Meta, 2026-06-08; CyberScoop, 2026-06-08). The campaign used one-click links sent to WhatsApp users that redirected them to external attacker-controlled websites — the same social-engineering pattern (T1566.002) tied to earlier NSO phishing chains; Meta states no WhatsApp protocol zero-day and no end-to-end-encryption bypass was involved (BleepingComputer, 2026-06-08). Meta removed test accounts and groups NSO created on the platform.

Why it matters to us: The threat vector is user-level social engineering, not platform exploitation — iOS Lockdown Mode and Android Advanced Protection both reduce the Pegasus delivery surface, and mobile-threat-defence monitoring of device-integrity attestation is the relevant control. NSO's confirmed customer base is governments and its targeting pattern (officials, journalists, activists) is documented across EU member states, keeping commercial-spyware exposure a standing concern for public-sector mobile fleets.

NCSC-CH's Week 22 report (4 June; daily 2026-06-04) documents two phishing variants exploiting real booking data leaked in the April 2026 Booking.com compromise: Variant 1 — fake WhatsApp refund lure → TWINT/Swiss-bank-portal credential harvest; Variant 2 — attackers using compromised hotel booking-system credentials to message guests through the legitimate booking channel, demanding urgent card re-verification. Variant 2 breaks user-awareness controls because the message originates from a trusted platform (NCSC-CH). In the same window, a separate upstream booking/channel-management SaaS layer breach exposed guest reservation records (names, contacts, arrival/departure dates) for guests at more than 100 Dutch, Belgian and Irish hotels; criminals are already sending contextually accurate "confirm your reservation" phishing referencing real upcoming stays (DutchNews.nl). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has opened a GDPR investigation; Art. 33/34 notification clocks are running for each hotel as an independent controller.

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.