ManageEngine Endpoint Central and ManageEngine RMM Central are being weaponized as covert backdoors in an active campaign across 11 countries. Attackers deliver obfuscated VBScript through compromised WhatsApp accounts, silently installing the legitimate, signed ManageEngine RMM agent reconfigured to communicate with attacker-controlled servers. Because the agent binary is signed and its network behavior mimics legitimate RMM telemetry, this attack bypasses signature-based AV and many network filtering controls that do not inspect RMM vendor traffic specifically.