Global WhatsApp Malware Campaign Exploits Compromised Accounts to Spread Remote Access Tools An active malware campaign is targeting WhatsApp users across at least 11 countries, including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The attack leverages hijacked WhatsApp accounts to distribute malicious VBScript files disguised as business or financial documents such as billing statements or account notices sent by trusted contacts. Once executed, the VBScript initiates a multi-stage infection chain. It disables User Account Control (UAC) protections via Registry modifications and downloads a ZIP archive containing ManageEngine Endpoint Central, a legitimate IT management tool. The software is silently installed and configured to connect to attacker-controlled servers, granting threat actors remote administrative access to the victim’s system. Kaspersky’s telemetry reveals that the campaign’s infrastructure overlaps with IPs previously linked to ValleyRAT and Gh0st RAT activity, with traces of Chinese language use. However, attribution remains inconclusive. The method used to compromise the initial WhatsApp accounts also remains unclear. The attack exploits both WhatsApp Web (requiring manual file downloads) and the WhatsApp Desktop client (where files can execute automatically via Windows Script Host). While the campaign’s scope is global, its reliance on social engineering particularly through localized filenames highlights its adaptability to regional targets.

A sophisticated SEO poisoning campaign exploited Bing search results to distribute Bumblebee malware, leading to Akira ransomware attacks. Users searching for ManageEngine OpManager were redirected to a malicious site hosting a trojanized installer. The malware established command and control communications, escalated privileges, and exfiltrated domain account hashes. The attack culminated in ransomware deployment, encrypting systems within 44 hours and compromising child domains, causing significant operational disruption and data loss.

A severe security vulnerability identified as CVE-2025-3835 has been found in ManageEngine Exchange Reporter Plus. This vulnerability allows attackers to execute arbitrary commands on target servers through a flaw in the Content Search module. The vulnerability affects all installations with build 5721 and below. Security experts advise immediate updates to prevent complete system compromise, potential data breaches, and further malicious activities such as ransomware deployment.

A high-severity authentication vulnerability, identified as CVE-2025-1724, affected ManageEngine Analytics Plus on-premise versions before the 6130 build. Malicious actors could exploit the flaw to bypass AD authentication, gaining unauthorized access to user accounts and sensitive data. The issue was patched on March 11, 2025. Key management and encryption weaknesses allowed token capture and replay, leading to potential account takeovers and exposing organizations to data exfiltration, regulatory non-compliance, and escalation of privileges.