Signal
Microsoft warns of WhatsApp-delivered VBS malware campaign targeting Windows users
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-04-01 11:19 UTCUpdated 2026-04-01 19:57 UTC
rss
malwarephishingincident_responsesecurity_tooling
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Microsoft has identified a new malware campaign distributing malicious Visual Basic Script (VBS) files via WhatsApp messages to Windows users.
Entities
MicrosoftMetaAWS
Score total
1.5
Momentum 24h
5
Posts
5
Origins
5
Source types
1
Duplicate ratio
0%
Why now
- The campaign has been active since late February 2026 and is currently ongoing.
- Microsoft recently issued warnings to raise awareness among Windows and WhatsApp users.
- New phishing tools like EvilTokens are expanding the threat landscape around Microsoft services.
Why it matters
- The campaign exploits trusted platforms and legitimate tools to evade detection and maintain persistence.
- WhatsApp desktop users are at risk of executing malicious scripts leading to remote compromise.
- The emergence of EvilTokens highlights increasing sophistication in Microsoft account phishing attacks.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- WhatsApp messages are used to distribute malicious VBS files that establish persistence and remote access on Windows devices.
- The malware campaign uses living-off-the-land techniques and legitimate cloud platforms to evade detection.
- A new malicious kit called EvilTokens facilitates Microsoft device code phishing attacks for business email compromise.
How sources frame it
- Microsoft Defender Experts: neutral
All evidence
All evidence
Campaign combines WhatsApp with legit cloud platforms to deliver malicious VBS files
SC Media · scworld.com · 2026-04-01 19:57 UTC
New EvilTokens service fuels Microsoft device code phishing attacks
bleepingcomputer_all · bleepingcomputer.com · 2026-04-01 19:42 UTC
WhatsApp on Windows users targeted in new campaign, warns Microsoft
Malwarebytes Threat Analysis · malwarebytes.com · 2026-04-01 14:27 UTC
Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
The Hacker News · thehackernews.com · 2026-04-01 11:49 UTC
WhatsApp malware campaign uses malicious VBS files to gain persistent access
CSO Online · csoonline.com · 2026-04-01 11:19 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- SC Media (1)
- bleepingcomputer_all (1)
- Malwarebytes Threat Analysis (1)
- The Hacker News (1)
- CSO Online (1)
Top origin domains (this list)
- scworld.com (1)
- bleepingcomputer.com (1)
- malwarebytes.com (1)
- thehackernews.com (1)
- csoonline.com (1)