LOADING...
Received invoice on WhatsApp? It may be malware
The campaign mainly targets WhatsApp Desktop and Web users

Received invoice on WhatsApp? It may be malware

Jul 07, 2026
03:19 pm

What's the story

The Indian Computer Emergency Response Team (CERT-In) has issued a cybersecurity alert regarding a new malware campaign. The attack is being propagated through WhatsApp by using fake invoices, bank statements, and other business-related documents. CERT-In has warned users against opening suspicious attachments, even if they are from known contacts. The campaign mainly targets WhatsApp Desktop and Web users.

Account compromise

Cybercriminals hijacking legitimate WhatsApp accounts

According to CERT-In, cybercriminals are hijacking legitimate WhatsApp accounts to distribute malicious attachments. These attachments are disguised as common business documents with names like invoices, payment records, bank statements, account statements, debt notices, and acknowledgement receipts. The filenames have been localized in several languages including English, Portuguese, French, German, and Malay. This suggests that the campaign has a wide reach across different regions.

Deceptive tactics

Malicious scripts disguised as Windows update components

The malicious scripts in this campaign are designed to look like legitimate Microsoft Windows Update components. They contain comments and metadata that further disguise their true nature. When a user opens an infected VBScript file, it triggers a series of actions on their Windows computer, including creating a working directory under the Public Documents folder and downloading additional scripts from attacker-controlled infrastructure.

Advertisement

Remote control

Potential impact of successful attack

The malware from the initial VBScript file downloads and extracts a compressed archive before installing a Remote Monitoring and Management (RMM) package. This gives attackers remote access to the compromised device. CERT-In has warned that a successful attack could lead to unauthorized remote access, credential theft, deployment of additional malware, data exfiltration, lateral movement within organizational networks, and business disruption potentially leading to financial losses.

Advertisement

Safety measures

CERT-In's recommendations for users

CERT-In has advised users not to open unexpected attachments received through WhatsApp, especially those with .vbs extensions or claiming to be invoices/bank statements. Users should verify the authenticity of such files with the sender through another communication channel before opening them. The agency also recommends keeping Windows systems and antivirus software up-to-date, enabling endpoint protection, and educating users about phishing/social engineering attacks.

Advertisement