Cybersecurity experts in East and Southeast Asia are dealing with a new and advanced threat, as attackers linked to China are distributing a malicious MSI installer disguised as a genuine WhatsApp setup file.
This campaign marks a serious escalation in social engineering tactics, using the familiarity and trust of the popular messaging app to breach both corporate and personal devices.
The attackers are demonstrating a high level of technical skill with a complex, multi-step process for deploying malware and compromising systems. The campaign begins with trojanized MSI files crafted to closely resemble real WhatsApp installation packages.
Broadcom researchers have flagged this operation as highly concerning due to its targeted approach and the advanced techniques used to bypass standard security tools. The malware includes encrypted shellcode hidden within what appear to be regular image files, making it difficult for traditional antivirus programs to detect.
When run, the fake installer uses PowerShell scripts to establish persistence through scheduled tasks. This allows the malware to remain active even after the infected system is restarted.
The final stage of the attack involves a modified version of the XWorm Remote Access Trojan. This variant includes added functions that specifically check for Telegram installations, suggesting the attackers may be interested in monitoring messaging activity, possibly for espionage or further manipulation.
The operation also includes a sophisticated command-and-control system that uses Telegram as a communication channel, blending malicious activity with legitimate network traffic to avoid detection.
The method of infection uses advanced techniques such as steganography, where harmful code is hidden within the pixels of image files. These shellcode loaders only activate the encrypted payload when specific conditions are met, making analysis more difficult for cybersecurity teams.
Symantec has detected several indicators of this threat, including Trojan.Gen.MBT and heuristic flags such as the Heur.AdvML.A series, confirming the malware’s advanced evasion strategies.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
