India's national cybersecurity watchdog has issued an advisory warning WhatsApp Web and Desktop users about a widespread malware campaign that could allow attackers to gain unauthorised access to their devices and compromise sensitive data.
The Indian Computer Emergency Response Team (CERT-In) cautioned users to be wary of attachments shared over the platform, even when they appear to come from known contacts such as friends, family or colleagues.
"It has been observed that a large-scale malware distribution campaign is targeting WhatsApp Desktop and WhatsApp Web users. The campaign distributes malicious Visual Basic Script (VBScript) files through direct messages on the platform," CERT-In said in the note, dated June 25.
The advisory, based on findings from cybersecurity firms Kaspersky and Securelist, said attackers are exploiting WhatsApp accounts that have already been compromised to push malicious files directly to victims' existing contacts, which makes the messages look credible and raises the chances of the attack succeeding.
"WhatsApp is a cross-platform instant messaging application that enables users to exchange messages, files, images, videos and other content across desktop and web platforms. Attackers use previously compromised WhatsApp accounts to send malicious VBScript (vbs) files to existing contacts. Because the messages originate from trusted contacts, recipients may be more inclined to open the attachment," CERT-In said.
ALSO READ: Elon Musk Unveils Grok 4.5 Private Beta, Claims AI Rivals Claude Opus
According to the advisory, if the malware is executed successfully, it can give cybercriminals remote access to the infected device, allowing them to steal login credentials for fraudulent use, install further malicious software, spread the infection across the victim's network, and disrupt business operations, leading to financial losses.
"Do not open attachments you were not expecting, even if they come from a friend, colleague, or family member," CERT-In said.
The agency recommended that users verify suspicious attachments by calling or messaging the sender directly to confirm whether the file was sent intentionally. "If the sender's message seems unusual or out of character, treat it as suspicious," it added.
This is not CERT-In's first move on the cybersecurity front this month. On June 10, the agency had tightened security compliance norms for original equipment manufacturers, including makers of mobile phones and computers, citing a rise in AI-driven cyberattacks.
(With PTI inputs)
ALSO READ: Google Puts Brakes On Meta's Gemini AI Usage Over Capacity Shortfall
Essential Business Intelligence, Sharp Market Insights, Practical Personal Finance Advice, Daily Fuel, Gold and Silver Prices and Latest Stories — On NDTV Profit.
