A VBScript Campaign Distributed Through WhatsApp Deploying RMM Software

    Tuesday, June 23, 2026 In: Threat Research Print

    Date: 06/23/2026

    Severity: High

    Summary

    This campaign leverages social engineering through compromised WhatsApp accounts to distribute malicious VBScript (VBS) attachments, which ultimately deploy malware in the form of a preconfigured ManageEngine Endpoint Central agent on victim systems. The activity has been observed across multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam, indicating a broad and opportunistic campaign. By abusing trusted contacts, the attackers increase the likelihood that victims will open the attachment and execute the malware. This campaign highlights the continued effectiveness of social engineering, malware delivery, and trusted-account abuse as initial access techniques. Users should remain cautious when receiving unexpected attachments via WhatsApp and avoid opening script or executable files such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 unless their legitimacy has been independently verified. 

    Indicators of Compromise (IOC) List

    IP Address:

    202.61.160.202

    202.61.160.201

    202.61.160.137

    202.61.160.160

    202.61.160.208

    38.55.151.63

    Domains/URLs:

    temu.baskwms.top

    invoice.msopsa.top

    qse.shoppes.help

    shaaslong.one

    baoxis.cc

    baolongwes.oss-ap-southeast-1.aliyuncs.com

    sdcwww.oss-ap-southeast-1.aliyuncs.com

    baoyuw2s.s3.ap-southeast-1.amazonaws.com

    hksha3.s3.ap-southeast-1.amazonaws.com

    sjdkjj23.s3.ap-southeast-1.amazonaws.com

    xijkwm2.s3.ap-southeast-1.amazonaws.com

    yifubafu.s3.ap-southeast-1.amazonaws.com

    caiwuascw.s3.us-east-005.backblazeb2.com

    facaia.s3.us-east-005.backblazeb2.com

    Hash:

    c7f38cbb99c8b74fa0465293feeba700

    b7cd06c71465038b658a6dc1f273a507

    9f13c7b8ba391b2f597874e54d310648

    993f4c0cadbc769a4b0ed62a918db58d

    7f81c1bc8cfd588e8998968e2621456e

    7403cbcc5a9c32384d431856dc48fcc9

    68c16c46f8afb9e00bbaba0207fb0a46

    66442f2457eca8f47385b1fb2c6fcab8

    6359e6236471cbe434d0ef4c42b7f879

    5b6bbcc06cf08cc99e1afeda486d42fb

    5002eca748205d544618e3bd2dedc223

    4f0593e8e0e8fac49429e9b45ebf7fa1

    4044e4b6471c9de7b0a4ba37d9d9df9a

    20209b3a32769afc6a75694b8d8839dd

    0ba93109757776a44de9d8c88baa4963

    02bb20455cc592a69c080abac770ce90

    6c39900d77dcba158e1d27c7619cb06d

    dad708e050632a4280cabf98ac1376b7

    05d188f071d097f5b6bd8138749b4b14

    2c6f05f1f309d89b2236e6c8b59c88f9

    3b1aba44dd3d9b6339b6f56e2f42034b

    d43fdaa1f0ee09d7e5f0f94ee9df7b6c

    df4fa0369eaca5cec348be293890d4af

    63ac85195b73753333316a889cf5880f

    74fd9f91fc93b6288b4fc253ea5b3e20

    d06333c360b51456f427e616c3c5f8bd

    993f4c0cadbc769a4b0ed62a918db58d

    1d94fbe9cab21278cc3f104bea334d08

    9d9ac85765e4a818a3ccabe2cf4fef82

    6fb6a55424adfb61e31f06aef33273e5

    f90ed4b2d0b67114aa89ddfed658e5c0

    8c3322009b8982663c0cbecd9492e7eb

    66705384a7ad81d14c34fc6c054a0ecf

    8c6d9fc389ad3f20ccbc71d77eb39bfa

    1a3cc75466ffb1971482f7abf7aabc3f

    1c47c63e5ed25060d95359c57c77b107

    31037a42ca048e06e69a78f55bc2eff5

    7f16449cd0c4862d1eadf8a5742bf09a

    79ecd61b09b0f2d54b34586c916c4ec9

    7849061c536a3efb05a56d504694e7e7

    ddaffe9849f7f3c79f8804adb9a6b3d5

    d01cad98dd0d01b75e04e784953c5e2b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("38.55.151.63","202.61.160.201","202.61.160.137","202.61.160.202","202.61.160.208","202.61.160.160") or srcipaddress IN ("38.55.151.63","202.61.160.201","202.61.160.137","202.61.160.202","202.61.160.208","202.61.160.160")

    Detection Query 2 :

    domainname like "qse.shoppes.help" or url like "qse.shoppes.help" or siteurl like "qse.shoppes.help" or domainname like "hksha3.s3.ap-southeast-1.amazonaws.com" or url like "hksha3.s3.ap-southeast-1.amazonaws.com" or siteurl like "hksha3.s3.ap-southeast-1.amazonaws.com" or domainname like "invoice.msopsa.top" or url like "invoice.msopsa.top" or siteurl like "invoice.msopsa.top" or domainname like "temu.baskwms.top" or url like "temu.baskwms.top" or siteurl like "temu.baskwms.top" or domainname like "sdcwww.oss-ap-southeast-1.aliyuncs.com" or url like "sdcwww.oss-ap-southeast-1.aliyuncs.com" or siteurl like "sdcwww.oss-ap-southeast-1.aliyuncs.com" or domainname like "facaia.s3.us-east-005.backblazeb2.com" or url like "facaia.s3.us-east-005.backblazeb2.com" or siteurl like "facaia.s3.us-east-005.backblazeb2.com" or domainname like "baoyuw2s.s3.ap-southeast-1.amazonaws.com" or url like "baoyuw2s.s3.ap-southeast-1.amazonaws.com" or siteurl like "baoyuw2s.s3.ap-southeast-1.amazonaws.com" or domainname like "sjdkjj23.s3.ap-southeast-1.amazonaws.com" or url like "sjdkjj23.s3.ap-southeast-1.amazonaws.com" or siteurl like "sjdkjj23.s3.ap-southeast-1.amazonaws.com" or domainname like "caiwuascw.s3.us-east-005.backblazeb2.com" or url like "caiwuascw.s3.us-east-005.backblazeb2.com" or siteurl like "caiwuascw.s3.us-east-005.backblazeb2.com" or domainname like "baolongwes.oss-ap-southeast-1.aliyuncs.com" or url like "baolongwes.oss-ap-southeast-1.aliyuncs.com" or siteurl like "baolongwes.oss-ap-southeast-1.aliyuncs.com" or domainname like "yifubafu.s3.ap-southeast-1.amazonaws.com" or url like "yifubafu.s3.ap-southeast-1.amazonaws.com" or siteurl like "yifubafu.s3.ap-southeast-1.amazonaws.com" or domainname like "xijkwm2.s3.ap-southeast-1.amazonaws.com" or url like "xijkwm2.s3.ap-southeast-1.amazonaws.com" or siteurl like "xijkwm2.s3.ap-southeast-1.amazonaws.com" or domainname like "baoxis.cc" or url like "baoxis.cc" or siteurl like "baoxis.cc" or domainname like "shaaslong.one" or url like "shaaslong.one" or siteurl like "shaaslong.one"

    Detection Query 3 :

    md5hash IN ("8c3322009b8982663c0cbecd9492e7eb","d01cad98dd0d01b75e04e784953c5e2b","8c6d9fc389ad3f20ccbc71d77eb39bfa","68c16c46f8afb9e00bbaba0207fb0a46","4044e4b6471c9de7b0a4ba37d9d9df9a","6359e6236471cbe434d0ef4c42b7f879","5002eca748205d544618e3bd2dedc223","79ecd61b09b0f2d54b34586c916c4ec9","6c39900d77dcba158e1d27c7619cb06d","c7f38cbb99c8b74fa0465293feeba700","1d94fbe9cab21278cc3f104bea334d08","993f4c0cadbc769a4b0ed62a918db58d","4f0593e8e0e8fac49429e9b45ebf7fa1","05d188f071d097f5b6bd8138749b4b14","74fd9f91fc93b6288b4fc253ea5b3e20","7f16449cd0c4862d1eadf8a5742bf09a","66705384a7ad81d14c34fc6c054a0ecf","63ac85195b73753333316a889cf5880f","7849061c536a3efb05a56d504694e7e7","2c6f05f1f309d89b2236e6c8b59c88f9","31037a42ca048e06e69a78f55bc2eff5","66442f2457eca8f47385b1fb2c6fcab8","f90ed4b2d0b67114aa89ddfed658e5c0","b7cd06c71465038b658a6dc1f273a507","1a3cc75466ffb1971482f7abf7aabc3f","20209b3a32769afc6a75694b8d8839dd","dad708e050632a4280cabf98ac1376b7","ddaffe9849f7f3c79f8804adb9a6b3d5","df4fa0369eaca5cec348be293890d4af","9f13c7b8ba391b2f597874e54d310648","7f81c1bc8cfd588e8998968e2621456e","1c47c63e5ed25060d95359c57c77b107","3b1aba44dd3d9b6339b6f56e2f42034b","d06333c360b51456f427e616c3c5f8bd","d43fdaa1f0ee09d7e5f0f94ee9df7b6c","0ba93109757776a44de9d8c88baa4963","02bb20455cc592a69c080abac770ce90","7403cbcc5a9c32384d431856dc48fcc9","9d9ac85765e4a818a3ccabe2cf4fef82","6fb6a55424adfb61e31f06aef33273e5","5b6bbcc06cf08cc99e1afeda486d42fb")

    Reference:   

    https://securelist.com/whatsapp-vbs-rmm-campaign/120290/ 


    Tags

    VietnamUnited KingdomMalwareWhatsappRMMSocial EngineeringMalaysiaBrazilIndiaMexicoSingaporeSpainTaiwanAustraliaRussia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.