CERT-In Flags Major Malware Campaign Targeting WhatsApp Web and Desktop Users

India's Computer Emergency Response Team (CERT-In), the country's top cybersecurity watchdog under the Ministry of Electronics and Information Technology, has issued a fresh advisory urging WhatsApp Web and Desktop users to be on guard against a widespread malware campaign currently circulating on the platform.

What's Happening

According to the advisory dated June 25, attackers are spreading malicious Visual Basic Script (VBS) files through direct messages on WhatsApp, specifically targeting people using the web and desktop versions of the app. The warning follows research from cybersecurity firm Kaspersky and its threat-intelligence platform Securelist, which found that attackers are hijacking existing WhatsApp accounts to push these files out to unsuspecting contacts.

Because the messages appear to come from people the victim already knows and trusts — friends, colleagues, or family members — the chances of someone opening the file without suspicion go up significantly. Researchers also noted that the malicious files are localized into multiple languages, including English, Portuguese, French, German, and Malay, pointing to an operation designed to reach victims across many regions at once. The scripts themselves are reportedly dressed up with detailed comments and metadata designed to make them look like genuine Microsoft Windows Update files, making them harder to spot as malicious.

Why This Matters

This advisory comes shortly after CERT-In tightened security compliance rules for device manufacturers — including phone and computer makers — on June 10, in response to a rise in AI-driven cyberattacks. The latest warning underscores that even trusted communication channels like WhatsApp are increasingly being weaponized through compromised accounts rather than obviously fake ones, making traditional "look out for strangers" advice less reliable.

If a malware attack like this succeeds, CERT-In warns it could give cybercriminals remote access to a victim's device, allow them to steal login credentials for fraud, deploy further malicious software, spread the infection across a connected network, and ultimately cause financial and operational damage.

How to Protect Yourself

CERT-In has laid out a set of precautions for WhatsApp users:

• Don't open attachments you weren't expecting — especially ones disguised as invoices, payment receipts, account statements, or other financial documents — even if they appear to come from someone you know.
• If a message or file feels off, call or message the sender separately to confirm they actually sent it before opening anything.
• Treat any message that seems unusual or out of character for the sender as a red flag.
• Avoid clicking on links in unexpected or unfamiliar messages, and double-check shortened or unrecognizable URLs before visiting them.

With attackers now routing malware through hijacked accounts of people users already trust, CERT-In's core message is simple: familiarity is no longer a reliable signal of safety. Verifying before clicking has become essential, regardless of who the message appears to come from.