Malaysia's Computer Emergency Response Team (MyCert) has raised the alarm about a sophisticated malware campaign exploiting WhatsApp Web and Desktop to compromise Windows computers across the country. The threat uses a time-tested combination of social engineering and technical deception, with attackers deliberately crafting messages that appear legitimate while harbouring dangerous code beneath deceptive file names.
The attack vector centres on malicious attachments designed to mimic routine financial and legal correspondence. Victims receive files with names such as "Acknowledgment of Debt.vbs", "Sila semak bil anda.vbs", "December statement of account.vbs", and "Reconciliation.vbs" — all purporting to be standard business documents. The deliberate use of Malay language in some filenames suggests attackers are specifically targeting Malaysian audiences, understanding local communication patterns and document types that would appear credible to recipients.
The critical distinction between appearance and reality lies in the file extension. Although these files masquerade as legitimate documents through their naming conventions, they are actually Visual Basic Script (.vbs) executables. This technicality proves decisive: when a user opens what they believe to be a PDF or document file, the script immediately runs without additional prompts, initiating the infection process. This automated execution bypasses the user's conscious decision-making moment when they might otherwise question the file's legitimacy.
Once activated, the malicious script installs a Remote Access Trojan (RAT) onto the compromised system, fundamentally undermining the device's security. A RAT grants attackers the ability to assume remote control of the computer, accessing files, applications, and system functions as though they were physically present at the keyboard. More insidiously, this access persists even after the device reboots, establishing a persistent foothold that allows ongoing surveillance and exploitation.
The sophistication of this malware extends beyond simple intrusion. The script actively disables security prompts and protection mechanisms that would normally alert users or antivirus software to suspicious activity. With these defences neutralised, attackers operate in near-complete silence, conducting surveillance activities that capture everything displayed on or typed into the compromised device. Passwords, banking PINs, and one-time passwords become visible and vulnerable to theft, yet conventional antivirus scanning fails to detect or flag the infection.
MyCert's advisory emphasises the fundamental importance of user vigilance. The organisation strongly recommends that individuals refrain from opening or executing any files received through messaging platforms when their origin or legitimacy cannot be independently verified. Equally important is avoiding the instinctive action of forwarding suspicious files to colleagues or family members in an attempt to warn them, as this inadvertently spreads the infection further.
For those who have already fallen victim to this attack, MyCert's guidance is unambiguous: assume the device has been completely compromised. Immediate action becomes essential, beginning with physically disconnecting the infected computer from the internet to sever the attacker's remote access channel. Users should simultaneously begin the process of securing all online accounts by changing passwords from a separate, clean device. Any credentials entered on the compromised system must be treated as exposed, requiring immediate rotation across banking platforms, email providers, and other sensitive services.
Users should resist the temptation to engage with the attacker. Replying to messages containing malicious attachments confirms to threat actors that the phone number or account is actively monitored, potentially escalating targeting. Instead, MyCert advises reporting the message directly through WhatsApp's built-in reporting feature and simultaneously notifying MyCert through Cyber999, Malaysia's cybersecurity incident reporting platform, at [email protected]. Reports should include screenshots of the message, precise timestamps, and the sender's contact information to assist investigators.
Employees working with corporate devices face additional complications and responsibilities. An infection on a company computer potentially compromises not only personal data but also corporate systems, intellectual property, and the security posture of the entire organisation. Those using work devices must immediately notify their IT department, allowing security teams to assess the breach's scope and implement containment measures across the network.
Removal of the RAT presents technical challenges that exceed standard antivirus capabilities. Because the malware is specifically designed to evade conventional security tools, professional remediation often becomes necessary. MyCert recommends engaging qualified cybersecurity professionals rather than attempting removal through standard scanning protocols. The persistence and sophistication of RAT malware means that incomplete removal may leave infection vectors intact, allowing reinfection even after apparent system cleaning.
The campaign highlights the ongoing vulnerability of messaging platforms to malware distribution, despite their widespread use for business and personal communication. While WhatsApp itself maintains robust security protocols, the platform's utility as a communication channel makes it an attractive delivery mechanism for social engineering attacks. Malaysian users, like their counterparts globally, must maintain heightened awareness when receiving unsolicited files, regardless of platform.
This incident also underscores broader regional cybersecurity challenges in Southeast Asia, where rapidly increasing digital adoption outpaces security awareness. As businesses and individuals increasingly rely on digital communication and financial services, threat actors continuously refine techniques to exploit the gap between convenience and security consciousness. MyCert's public warnings serve not merely as notifications of specific threats but as part of a broader education strategy to strengthen the cybersecurity posture across Malaysia's digital ecosystem.
