{"id":63324,"date":"2026-06-24T10:13:07","date_gmt":"2026-06-24T02:13:07","guid":{"rendered":"https:\/\/sgbuzz.com\/?p=63324"},"modified":"2026-06-24T10:13:07","modified_gmt":"2026-06-24T02:13:07","slug":"whatsapp-malware-invoice-scam-warning","status":"publish","type":"post","link":"https:\/\/sgbuzz.com\/?p=63324","title":{"rendered":"WhatsApp malware invoice scam warning"},"content":{"rendered":"


\n
<\/p>\n

\n

if someone sends you an unexpected invoice, bank statement, payment record or debt notice over WhatsApp, do not open it<\/b> just because it came from a familiar contact.<\/p>\n

Kaspersky\u2019s Global Research and Analysis Team (GReAT) has uncovered a large malware campaign spreading through WhatsApp, and the trick is depressingly simple. Attackers use WhatsApp accounts that have already been compromised, then send malicious attachments to the account owner\u2019s existing contacts. That makes the message look less suspicious because, well, it appears to come from someone the recipient knows.<\/p>\n

Targeting WhatsApp Desktop<\/b> and WhatsApp Web users<\/b>, the malicious files are VBScript attachments, which can run scripts on a Windows computer. Open a compromised file, and the machine can quietly start fetching more malicious components from external infrastructure.<\/p>\n

The campaign has already been observed across multiple countries and territories, including Malaysia<\/b>, Brazil<\/b>, Singapore<\/b>, Taiwan<\/b> and Vietnam<\/b>. Kaspersky says the highest number of observed victims is in Malaysia, while the use of multiple languages in file names points to wider regional targeting, especially across Europe.<\/p>\n

The file names are the bait. Kaspersky says the attachments are disguised as routine business documents<\/b>, including invoices, bank statements, account statements, payment records and debt notices. Some names have also been localised into English, Portuguese, French, German and Malay.<\/p>\n

That matters because these are not random \u201cclick here to win a prize\u201d messages. They look boring in exactly the same way work documents often do. And it\u2019s boring that makes them dangerous.<\/p>\n

Fareed Radzi, security researcher at Kaspersky GReAT, said:<\/p>\n

\n

\u201cIn this campaign, attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them. The file names are carefully disguised as routine business documents, such as invoices and payment notices, and localised across multiple languages to support broad targeting. Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure.\u201d<\/p>\n<\/div>\n

The attack chain isn\u2019t flashy, but it is effective. Once the file is opened, the script creates a working directory under C:\\Users\\Public\\Documents\\, downloads more script files and runs them through Windows Script Host. Follow-up scripts then download a compressed archive containing an installer for remote monitoring and management software.<\/p>\n

That last bit is the real worry. Remote monitoring and management tools are not automatically malicious. IT teams use them legitimately to support and manage devices. But in the wrong hands, the same idea becomes a neat way for attackers to gain remote access and control.<\/p>\n

This is also why WhatsApp users should not rely on the \u201cbut it came from someone I know\u201d test. A compromised account can make a malicious message look personal, trusted and ordinary. The attacker does not need to convince a stranger. They borrow someone\u2019s identity and let familiarity do the work.<\/p>\n

There is a familiar pattern here. WhatsApp scams have often leaned on trusted contacts, urgent messages and files that look official. In Singapore, police had previously warned about malware scams<\/u> involving phishing links sent through WhatsApp, where victims were deceived into installing malicious apps. Separately, Microsoft had also reported a WhatsApp malware campaign in 2026<\/u> that used Visual Basic Script files to begin a multi-stage infection and enable remote access.<\/p>\n

That makes it especially relevant for small businesses, freelancers, finance teams, sales teams and anyone who regularly receives invoices, statements or payment notices over chat. Like, if WhatsApp is part of the way your office actually runs, this is the kind of scam that slips into the day without looking dramatic.<\/p>\n

The advice to keep yourself safe is simple, but worth repeating:<\/p>\n

\n