Microsoft Warns of WhatsApp Malware Attack Targeting Windows Users

This new research from Microsoft could change how you think about WhatsApp attachments. Notably, hackers have come up with a new social engineering scam where they use WhatsApp to hijack Windows computers.

The Microsoft Defender Security Research Team issued this warning in a report this week. According to the report, since late February 2026, attackers have been quietly targeting everyday WhatsApp users with a sneaky file that opens the door to your entire computer.

Opening a Simple WhatsApp File Can Infect Your PC

It starts with a WhatsApp message with either Visual Basic Script or VBS file attached. The real trouble starts when you click on that attachment.

The malware quietly creates hidden folders inside your computer’s C:\ProgramData directory. This helps it stay out of sight. Then it does something clever, it renames standard Windows tools to look like harmless system files.

For example, curl.exe gets renamed to netapi.dll. Another tool, bitsadmin.exe, disguises itself as sc.exe. These are actually legit Windows tools, so your security software won’t notice anything suspicious.

According to Microsoft’s report, the attackers are mixing social engineering with “living-off-the-land” tricks. They use trusted platforms like WhatsApp and other well-known tools, so folks won’t really suspect anything. That’s exactly why this scam actually works, totally flying under the radar right under everyone’s nose.

The attackers then download extra malware from real cloud services. They get the files from AWS S3, Tencent Cloud, and Backblaze B2. Since people trust these platforms, the malware activity is able to blend in like its normal internet traffic. Your firewall probably won’t bat an eye.

How They Completely Take Over Your Computer 

The hackers aren’t stopping at hiding files. Their real goal is full control of your machine. The malware targets your User Account Control settings. UAC is the Windows feature that asks for your permission before some program starts making any major alterations.

By hacking the registry & making some sneaky modifications under HKLM\Software\Microsoft\Win, the malware manages to completely shut off those prompts altogether. You stop seeing the warnings. The attackers keep working. Even if you reboot your computer the malware still hasn’t gone anywhere. It digs in deep.

In the final stage, the attackers install fake software packages. The malware comes dressed up in all sorts of disguises, WinRAR.msi, Setup.msi , or AnyDesk.msi none of which happen to have a valid security certificate, that’s just not right.

Once they’ve got it installed, the hackers get a key to unlock remote access on your machine, allowing them to snoop on all your private info or use your computer to cause trouble for other people.

WhatsApp’s Making it Worse

Cybersecurity expert Yagub Rahimov, CEO of Polygraf AI, shared his thoughts on the attack. His company builds zero-trust security tools for national intelligence and defense agencies.

Rahimov said the attack chain relies solely on trust towards tools, messaging apps, and cloud services. Nothing in the chain will appear fishy until it’s already too late. And WhatsApp makes it even worse.

He pointed to a bigger problem here. Many employees use personal messaging apps on work devices. That habit creates a serious security gap.

Further, Rahimov explained that .vbs files delivered on WhatsApp bypass all layers of controls, DLP, attachment scanning, email security, that’s been put in place to block such threats.

The real-world consequences of such security gaps were on full display when Iran-linked hackers infiltrated Stryker’s Microsoft environment, wiping data from employee devices and disrupting operations across 79 countries, proving that the gap between personal app usage and corporate security can have devastating consequences.

Additionally, he said the threat perimeter became wider the moment employees started to use personal messaging apps on work devices. And most security stacks haven’t been able to catch up.

How to Protect Your Computer

To keep this attack far away from you, here’s what Microsoft recommends. Be careful of links you open while on WhatApp and avoid opening WhatsApp attachments you weren’t expecting.

Always keep your antivirus active at all times. And if you ever get a VBS file from someone on WhatsApp, dont even think about opening it, report it & delete it right away.

This attack is a reminder that danger doesn’t always arrive through email anymore. It now shows up wherever you feel most comfortable, and that’s exactly the point.