{"id":229822,"date":"2026-03-31T17:18:00","date_gmt":"2026-03-31T21:18:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/31\/dont-open-that-whatsapp-message-microsoft-warns-the-register\/"},"modified":"2026-03-31T20:40:19","modified_gmt":"2026-04-01T00:40:19","slug":"dont-open-that-whatsapp-message-microsoft-warns-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/31\/dont-open-that-whatsapp-message-microsoft-warns-the-register\/","title":{"rendered":"Don&#8217;t open that WhatsApp message, Microsoft warns \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/03\/31\/whatsapp_message_bad_msi_packages\/?tdu003dkeepreading\">Don&#8217;t open that WhatsApp message, Microsoft warns \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/03\/31\/whatsapp_message_bad_msi_packages\/?tdu003dkeepreading\">https:\/\/www.theregister.com\/2026\/03\/31\/whatsapp_message_bad_msi_packages\/?tdu003dkeepreading<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-31 17:18:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims&#8217; machines and access all of their data.<\/p>\n<p>The campaign began in late February, we&#8217;re told, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files. We&#8217;re not sure exactly how the social engineering part of the scam works &#8211; we&#8217;ve asked Redmond for additional details and will update this story if we receive any.\u00a0<\/p>\n<p>The Register also reached out to Meta-owned WhatsApp for comment and did not hear back.<\/p>\n<p>But somehow the attacker tricks the message recipient into executing the malicious file on their system. They likely do this using a compromised WhatsApp session so that the message appears to come from one of the victim&#8217;s existing contacts. Or they blast users with a lure that contains a sense of urgency, prompting the recipient to open the file in a rush.<\/p>\n<p>Once it&#8217;s executed, the malicious script creates hidden folders in C:ProgramData and drops renamed versions of legitimate Windows utilities &#8211; for example, curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe.<\/p>\n<p>Using legitimate Windows tools for evil purposes allows attackers to blend in with normal network activity &#8211; defenders call this &#8220;living off the land&#8221; &#8211; but the miscreants did make a mistake in renaming these binaries.\u00a0<\/p>\n<p>&#8220;Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe,&#8221; Microsoft&#8217;s researchers wrote in a Tuesday blog. &#8220;This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file&#8217;s name does&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/03\/31\/whatsapp_message_bad_msi_packages\/?tdu003dkeepreading\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Don&#8217;t open that WhatsApp message, Microsoft warns \u2022 The Register https:\/\/www.theregister.com\/2026\/03\/31\/whatsapp_message_bad_msi_packages\/?tdu003dkeepreading Publish Date: 2026-03-31 17:18:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229823,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2021\/09\/01\/shutterstock_whatsapp.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-229822","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229822"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229822"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229822\/revisions"}],"predecessor-version":[{"id":229824,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229822\/revisions\/229824"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229823"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229822"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229822"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}