An active malware campaign is exploiting hijacked WhatsApp accounts to deliver remote administration software through messages that appear to come from trusted contacts, according to a report by Security Affairs — exposing a significant gap in how organisations defend against threats arriving through encrypted personal messaging platforms.
The attack chain begins when an attacker gains control of a real WhatsApp account, often through previously compromised credentials or social engineering. From that account, the attacker sends messages to the victim's contact list containing fraudulent debt notices or financial claims, accompanied by a malicious attachment or link.
Legitimate Tools, Malicious Intent
What distinguishes this campaign is its deliberate choice to deploy well-known remote management applications rather than custom-built malware. This "living off the land" strategy is a deliberate evasion tactic. Because these tools are widely used by IT administrators for legitimate support purposes, they carry valid digital signatures, appear on approved-software whitelists, and do not trigger traditional signature-based antivirus detections.
Once a victim executes the lure and the remote access tool is silently installed, the attacker gains full interactive control of the machine — the same level of access an IT helpdesk technician would have. From there, lateral movement within a network, data exfiltration, or deployment of additional payloads becomes straightforward.
The campaign remains active, according to the report.
The Encryption Blind Spot
The attack also highlights a structural limitation of end-to-end encryption as a security mechanism. While encryption protects message privacy between sender and recipient, it simultaneously prevents network-level security appliances — firewalls, secure web gateways, and email security filters — from inspecting the content of messages passing through platforms like WhatsApp.
This creates what security teams might call a "trusted channel blind spot." Corporate email defences, which remain the primary line of perimeter defence for most organisations, are simply not in the path of traffic when an employee receives a malicious message on their personal phone or desktop WhatsApp client.
Why This Matters for IT Teams
For technology professionals responsible for endpoint protection and security awareness, this campaign carries several practical implications:
Trust is the attack surface. The most effective phishing is no longer poorly written emails from unknown senders. Messages arriving from a colleague's real WhatsApp number, referencing a plausible financial matter, exploit social trust in ways that are extremely difficult for users — and automated systems — to recognise as fraudulent.
Whitelisting policies need scrutiny. If your organisation permits remote administration tools on endpoints, consider whether application control policies are granular enough to distinguish between a tool deployed by IT and one installed by a user responding to a message. Restricting installation privileges and requiring approval workflows for remote access software can close this gap.
Endpoint detection and response (EDR) matters more than ever. Because the delivered payload is not traditional malware, detection relies on behavioural analysis — monitoring for unexpected installation of remote access tools, anomalous outbound connections, or unusual process activity — rather than signature matching.
Awareness training should cover personal messaging channels. Security awareness programmes that focus exclusively on email phishing miss the growing volume of social engineering attacks arriving through WhatsApp, Telegram, Signal, and similar platforms.
The campaign serves as a reminder that the most dangerous attacks often do not exploit software vulnerabilities at all. They exploit people — and the trusted relationships between them.
根據 Security Affairs 的一份報告,一場活躍的惡意軟件攻擊正利用被劫持的 WhatsApp 帳戶,透過看似來自受信任聯絡人的訊息來投放遙距管理軟件,這暴露了機構在防禦經加密個人訊息平台傳入的威脅方面存在重大漏洞。
攻擊鏈始於攻擊者獲取對一個真實 WhatsApp 帳戶的控制權,這通常透過先前洩露的憑證或社交工程手段實現。隨後,攻擊者從該帳戶向受害者的聯絡人列表發送包含欺詐性債務通知或財務索賠的訊息,並附帶惡意附件或連結。
合法工具,惡意用途
此攻擊的特點在於其刻意選擇部署知名的遙距管理應用程式,而非自訂的惡意軟件。這種「就地取材」策略是為了刻意規避偵測。由於這些工具廣泛被 IT 管理員用於合法的技術支援,它們擁有有效的數碼簽署、顯示在已批准軟件的白名單上,並且不會觸發傳統基於簽章的防毒軟件偵測。
一旦受害者執行誘餌並安裝了遙距存取工具,攻擊者便能獲得對受感染機器的完全互動控制權——其存取權限與 IT 技術支援人員所擁有的相同。從那裡開始,在網絡內進行橫向移動、數據竊取或部署額外的 payload 都變得輕而易舉。
根據報告,此攻擊仍然活躍。
加密的盲點
此次攻擊也凸顯了端對端加密作為安全機制的結構性局限。雖然加密保護了寄件者與收件者之間的訊息私隱,但同時也阻止了網絡級別的安全設備——防火牆、安全網頁閘道及電郵安全過濾器——檢查通過 WhatsApp 等平台傳遞的訊息內容。
這造成了安全團隊可能稱之為「受信任通道盲點」的情況。對大多數機構而言,企業電郵防禦仍然是邊界防禦的主要防線,但當員工在其個人電話或桌面版 WhatsApp 客戶端收到惡意訊息時,這些防禦根本不在流量傳輸的路徑上。
為何這對 IT 團隊很重要
對於負責端點保護和安全意識的科技專業人員而言,此次攻擊具有幾個實際影響:
信任即攻擊面。 最有效的網絡釣魚攻擊,不再是來自未知寄件者的文法拙劣的電郵。來自同事真實 WhatsApp 號碼、提及合理財務事項的訊息,利用了社交信任,其欺詐方式對用戶——以及自動化系統——而言極難識別。
白名單政策需要檢視。 如果你的機構允許在端點上使用遙距管理工具,應考慮應用程式控制政策是否足夠細緻,能區分由 IT 部署的工具和由用戶回應訊息後自行安裝的工具。限制安裝權限並要求遙距存取軟件經過審批流程,可以彌補此漏洞。
端點偵測與回應(EDR)比以往更重要。 由於投放的 payload 並非傳統惡意軟件,偵測依賴行為分析——監控異常的遙距存取工具安裝、異常的對外連接或不尋常的程序活動——而非簽章比對。
安全意識培訓應涵蓋個人訊息渠道。 僅專注於電郵網絡釣魚的安全意識培訓計劃,忽略了透過 WhatsApp、Telegram、Signal 及類似平台傳入的日益增長的社交工程攻擊。
此次攻擊提醒我們,最危險的攻擊往往根本不利用軟件漏洞。它們利用的是人——以及人與人之間的信任關係。