WhatsApp Desktop for Windows Allows Arbitrary Code Execution Via Malicious PYZ Files

Credited by Freepik

VTA-004535 – WhatsApp Desktop for Windows Allows Arbitrary Code Execution Via Malicious PYZ Files

Attackers are exploiting WhatsApp Desktop’s file transfer feature on Windows systems to deliver malicious .pyz (Python Zip Application) files that execute arbitrary code when opened by users, leveraging the default Windows file association that automatically launches these archives with the Python interpreter without security warnings.

This attack requires no vulnerabilities in WhatsApp itself but rather abuses legitimate functionality combined with Python’s widespread installation among developers, allowing threat actors to embed backdoors, credential harvesters, or ransomware in seemingly legitimate files.

Mitigation requires both technical and user-focused measures: reassociate .pyz files in Windows to open with archive tools (like WinZip) instead of Python to prevent automatic code execution; deploy endpoint protection that blocks unexpected file formats from messaging apps; implement user training to avoid opening unsolicited attachments; and apply strict least-privilege principles to limit potential damage from executed payloads.

Severity:
Medium

Attack Surface:
Endpoint, Endpoint OS, Messaging

Tactics:
Credential Access, Execution, Exfiltration, Initial Access, Lateral Movement, Persistence

Techniques:
T1204.002 – User Execution: Malicious File
T1041 – Exfiltration Over C2 Channel
T1059.006 – Python
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

References:
1. https://gbhackers.com/users-of-whatsapp-desktop-on-windows-face-code-execution-risk/

SuperPRO’s Threat Countermeasures Procedures:
1. Reassign .pyz file associations in Windows to prevent automatic execution with Python.
2. Implement endpoint protection tools that block execution of unexpected file formats from messaging apps.
3. Educate users to avoid opening unexpected attachments, especially those with .pyz extensions.
4. Scan all WhatsApp file downloads with antivirus software before opening.
5. Monitor for unusual Python process execution or network connections.
6. Restrict user permissions to limit potential damage from executed payloads.
7. Consider disabling WhatsApp file transfers in high-security environments.
8. Apply principle of least privilege to Python installations and user accounts.

Contributed by: Anas