Malaysia's cybersecurity authority MyCert has issued an urgent warning to residents about an active malware campaign spreading through WhatsApp Web and Desktop, with attackers strategically targeting Windows-based computers through social engineering tactics. The threat actors are deploying a sophisticated method of distribution that exploits user trust by sending messages containing malicious files disguised as routine business documentation such as legal notices, debt acknowledgements, and financial statements.
The scam hinges on file disguise and deception. Perpetrators are circulating Visual Basic Script (.vbs) files under innocuous names including "Acknowledgment of Debt.vbs", "Sila semak bil anda.vbs", "December statement of account.vbs", and "Reconciliation.vbs". At first glance, these filenames suggest standard PDF documents that any business person might routinely receive and open without suspicion. However, the .vbs extension reveals their true malicious nature—these are executable script files rather than static documents.
When an unsuspecting user opens these files, the consequences are immediate and severe. The script automatically executes without further user interaction, initiating a multi-stage infection process that compromises the entire system. The malware installs a Remote Access Trojan, commonly abbreviated as RAT, which establishes a persistent backdoor on the infected machine. This gives attackers complete remote control capabilities, allowing them to view the screen, manipulate files, and execute commands as if they were physically present at the computer. Critically, the RAT maintains its grip even after system reboots, making it difficult for casual users to dislodge.
The sophistication of this particular threat extends beyond simple data theft. Once installed, the malware systematically disables security prompts and warnings that normally alert users to suspicious activity. Operating silently in the background, it captures sensitive information as users type or view it on their screens. This keystroke logging capability means that banking credentials, personal identification numbers, one-time passwords used for online banking authentication, and other confidential data are harvested without the user's knowledge. The malware actively evades detection mechanisms, remaining invisible to conventional antivirus scanning tools, which means infected users may continue operating their computers for days or weeks without realising they have been compromised.
For Malaysian users accustomed to receiving frequent WhatsApp messages in business and personal contexts, this threat presents a particular risk. The familiarity of WhatsApp as a trusted communication platform makes users more likely to lower their guard when receiving file attachments through it. Additionally, the use of Malay language filenames such as "Sila semak bil anda" (Please check your bill) demonstrates that attackers are specifically targeting the local market and tailoring their approach to language and cultural business practices common in Malaysia.
MyCert's guidance emphasises prevention as the primary defence mechanism. Users should refrain from opening or executing any files of uncertain origin, particularly those arriving unexpectedly through messaging platforms. Equally important is avoiding confirmation replies to senders, as responding signals to attackers that the phone number is active and potentially receptive, likely increasing the frequency of future malicious messages. The organisation strongly advises reporting suspicious messages directly through WhatsApp's built-in reporting feature and simultaneously filing a formal complaint with MyCert via the Cyber999 email address, providing screenshots, timestamps, and sender details for investigation and threat tracking purposes.
For those who fear they may have already opened such a file, immediate action is essential. The infected device should be disconnected from the internet without delay to sever the attacker's remote connection and prevent further data exfiltration. Corporate users must simultaneously notify their organisation's IT department, as network-connected devices represent potential entry points for broader compromise. Users should then assume all passwords, PINs, and sensitive credentials entered on that machine are now exposed and must be changed using a different, clean device. Any account accessible from the compromised computer—email, banking, social media, cryptocurrency wallets—requires immediate password replacement.
Standard antivirus removal approaches typically prove insufficient against this threat. Most conventional security software fails to detect or eliminate the installed RAT because these tools may not be updated with signatures for the latest variants, or the malware's obfuscation techniques evade pattern matching. MyCert recommends engaging professional cybersecurity specialists who possess forensic tools and expertise to comprehensively identify, isolate, and remove the malware. A professional remediation approach also provides greater certainty that all traces of the infection have been eliminated, whereas a user operating alone risks leaving the RAT active while believing the system is now clean.
The broader implications for Malaysia's cybersecurity landscape are noteworthy. This campaign demonstrates how attackers are increasingly tailoring threats to specific geographic and linguistic populations, moving beyond generic global malware distribution. The WhatsApp platform's ubiquity across Southeast Asia makes it an attractive delivery vector, and the use of region-specific document types and language suggests systematic reconnaissance and targeting of Malaysian business users and individuals. This threat aligns with a pattern of malware campaigns becoming more sophisticated and targeted rather than merely opportunistic.
Users who believe they have been targeted or infected should preserve all evidence of the attack, including the original message, any links provided, and their best estimate of when the infection occurred. This information should be reported to MyCert through official channels to contribute to the organisation's threat intelligence and help defend the broader Malaysian population against evolving cyber threats.
