WhatsApp malware invoice scam warning

if someone sends you an unexpected invoice, bank statement, payment record or debt notice over WhatsApp, do not open it just because it came from a familiar contact.

Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a large malware campaign spreading through WhatsApp, and the trick is depressingly simple. Attackers use WhatsApp accounts that have already been compromised, then send malicious attachments to the account owner’s existing contacts. That makes the message look less suspicious because, well, it appears to come from someone the recipient knows.

Targeting WhatsApp Desktop and WhatsApp Web users, the malicious files are VBScript attachments, which can run scripts on a Windows computer. Open a compromised file, and the machine can quietly start fetching more malicious components from external infrastructure.

The campaign has already been observed across multiple countries and territories, including Malaysia, Brazil, Singapore, Taiwan and Vietnam. Kaspersky says the highest number of observed victims is in Malaysia, while the use of multiple languages in file names points to wider regional targeting, especially across Europe.

The file names are the bait. Kaspersky says the attachments are disguised as routine business documents, including invoices, bank statements, account statements, payment records and debt notices. Some names have also been localised into English, Portuguese, French, German and Malay.

That matters because these are not random “click here to win a prize” messages. They look boring in exactly the same way work documents often do. And it’s boring that makes them dangerous.

Fareed Radzi, security researcher at Kaspersky GReAT, said:

“In this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localised across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure.”

The attack chain isn’t flashy, but it is effective. Once the file is opened, the script creates a working directory under C:\Users\Public\Documents\, downloads more script files and runs them through Windows Script Host. Follow-up scripts then download a compressed archive containing an installer for remote monitoring and management software.

That last bit is the real worry. Remote monitoring and management tools are not automatically malicious. IT teams use them legitimately to support and manage devices. But in the wrong hands, the same idea becomes a neat way for attackers to gain remote access and control.

This is also why WhatsApp users should not rely on the “but it came from someone I know” test. A compromised account can make a malicious message look personal, trusted and ordinary. The attacker does not need to convince a stranger. They borrow someone’s identity and let familiarity do the work.

There is a familiar pattern here. WhatsApp scams have often leaned on trusted contacts, urgent messages and files that look official. In Singapore, police had previously warned about malware scams involving phishing links sent through WhatsApp, where victims were deceived into installing malicious apps. Separately, Microsoft had also reported a WhatsApp malware campaign in 2026 that used Visual Basic Script files to begin a multi-stage infection and enable remote access.

That makes it especially relevant for small businesses, freelancers, finance teams, sales teams and anyone who regularly receives invoices, statements or payment notices over chat. Like, if WhatsApp is part of the way your office actually runs, this is the kind of scam that slips into the day without looking dramatic.

The advice to keep yourself safe is simple, but worth repeating:

Do not open unexpected attachments sent through WhatsApp, even if they appear to come from someone you know.
Be especially careful with script and executable files, including .vbs, .vbe, .exe, .bat, .cmd, .js and .ps1.
Verify unusual invoices, statements or payment notices through another channel before opening them. Call the sender, email them, or check through the usual business workflow.
Treat familiar contacts with caution if the message feels odd. Their WhatsApp account may have been compromised.
Keep security software active on computers and mobile devices, especially if WhatsApp Desktop or WhatsApp Web is used for work.
Update Windows, browsers and messaging apps regularly so known vulnerabilities are patched.
Avoid using WhatsApp as a document management system for sensitive work files, payment records or financial documents.
For businesses, block script execution where it is not needed and train staff to recognise risky file types.

WhatsApp itself also advises users to look closely at links and files before opening them, because something can appear legitimate at a glance and still be malicious.

The practical takeaway is this: invoices and payment notices are now part of the scammer’s costume box. If the file arrives out of nowhere, especially through WhatsApp Desktop or WhatsApp Web, pause before clicking.

Read Full Article At Source