Malaysia's cybersecurity centre MyCert has sounded an alarm over an active malware campaign leveraging WhatsApp Web and Desktop to target Windows users across the country. The threat actors are employing sophisticated social engineering techniques, crafting deceptive messages that reference common financial and legal matters to manipulate recipients into opening dangerous files. This latest warning underscores the evolving sophistication of cybercriminals who exploit trusted communication platforms to distribute malicious code.
The attack methodology relies on disguising malicious files as innocent documents that users encounter regularly in their professional and personal lives. Perpetrators send messages containing Visual Basic Script files (.vbs) bearing names such as "Acknowledgment of Debt.vbs", "Sila semak bil anda.vbs", "December statement of account.vbs", and "Reconciliation.vbs". The naming convention is deliberately misleading, designed to appear as PDF documents or legitimate correspondence that would not raise suspicion when received through a messaging platform. This deception capitalises on user habits, where financial statements, debt acknowledgements, and billing documents are routinely exchanged via digital channels.
The technical mechanism behind the attack demonstrates considerable sophistication. When an unsuspecting user opens these .vbs files, they trigger automatic script execution, initiating an infection chain that rapidly compromises system security. The malware installs a Remote Access Trojan (RAT) onto the victim's computer, granting attackers unauthorised remote access and control capabilities. Critically, the RAT maintains persistent access even after the infected device restarts, meaning that attackers can continue their malicious activities across multiple sessions without the user's knowledge or consent.
Once established, the malware systematically disables security prompts and antivirus alerts, allowing it to operate covertly within the system. This stealth capability is particularly dangerous because it enables attackers to conduct extensive information harvesting operations without triggering the defensive mechanisms that Windows users typically rely upon. The malware intercepts sensitive data entered or displayed on the compromised machine, capturing everything from account passwords to banking personal identification numbers and one-time passwords used for authentication.
For Malaysian users and businesses operating across Southeast Asia, the implications of this threat are substantial. Banking credentials and authentication codes are especially valuable to cybercriminals, who can use them to conduct fraudulent transactions, drain accounts, or transfer funds before victims discover the breach. The capture of one-time passwords is particularly concerning because it defeats the two-factor authentication protections that many financial institutions have implemented to guard against unauthorised access. A single compromised Windows computer could therefore expose an entire portfolio of financial accounts belonging to one person or multiple family members sharing the device.
MyCert's advisory emphasises that users should exercise extreme caution with unsolicited messages containing file attachments, particularly those claiming to be documents related to financial or legal matters. The agency specifically recommends that users refrain from opening or executing suspicious files under any circumstances, nor should they forward such files to contacts, as this would inadvertently propagate the malware through extended networks. Replying to the sender should also be avoided, as doing so confirms to the attacker that the targeted phone number is active and monitored by a real person, potentially making that account subject to additional social engineering attempts.
Users who suspect they have already opened or executed one of these malicious files should immediately assume their device is compromised and act accordingly. MyCert advises disconnecting the affected computer from the internet to prevent the attacker from maintaining remote access and continuing to exfiltrate sensitive information. This is a critical containment step that should be performed before taking any other action. Corporate users should simultaneously notify their organisation's information technology or cybersecurity team, as the infection could potentially spread to networked systems or compromise enterprise data and resources.
The recovery process requires comprehensive remediation beyond standard antivirus solutions. Because the installed RAT is designed to evade conventional antivirus detection methods, running a standard security scan is unlikely to identify or remove the malicious components. MyCert recommends engaging professional cybersecurity services to properly disinfect the system and ensure complete removal of the threat. This investment in expert assistance is warranted given the high-value targets that attackers focus on—namely, banking credentials and authentication mechanisms that provide direct access to users' financial assets.
Simultaneously, all passwords, PINs, and other sensitive credentials accessed on the compromised device must be changed immediately using a separate, clean device that has not been exposed to the malware. This includes passwords for email accounts, banking platforms, social media accounts, and any other service that could be leveraged for further exploitation. Any information entered on the infected system should be treated as fully exposed to attackers, requiring a comprehensive credential reset across all relevant platforms.
MyCert encourages affected users to report the attack through official channels to aid in collective defence efforts. Messages containing the malware, including screenshots, timestamps, and sender phone numbers, should be forwarded to the Cyber999 email address at [email protected]. Simultaneously, users should report the offending messages directly within WhatsApp's reporting interface. This coordinated reporting approach helps Malaysian authorities track infection vectors, identify patterns in attacker behaviour, and develop targeted responses. As cybersecurity threats increasingly target Malaysian users and businesses engaged in digital commerce and banking, public awareness and rapid reporting mechanisms become essential tools for protecting the broader digital ecosystem across the region.
