Zalo Flagged as Dangerous by Windows Defender: A Call for Calm and Cybersecurity Perspective

• 16/09/2025

On the morning of September 13, 2025, many Vietnamese users were surprised to receive a notification from Windows Defender identifying the executable file Zalo.exe as malware.

Specifically, Microsoft’s system flagged the file with labels such as “Trojan:Script/Wacatac.C!ml” or “Trojan:Win32/Wacatac”, and immediately quarantined it. As a result, users could no longer log in or use the Zalo PC application as usual.

The incident quickly spread across both the tech community and general users. On social media, numerous comments reflected widespread confusion: many rushed to uninstall the app, while others expressed concern about potential personal data leaks.

To gain a more balanced and objective perspective, let’s analyze this incident from three angles: technical, media, and technological processes.

Source: 24h News

1. Technical perspective: False positive detection likely

This is most likely a false positive—an incorrect detection by antivirus software.

Windows Defender relies on both signature-based detection and behavioral analysis. After updates to its detection database, the criteria may change, sometimes causing legitimate applications to be flagged as malicious.

In the case of Zalo PC, the Wacatac label is often associated with behaviors deemed “suspicious” by the system, such as:

• Automatically running at Windows startup

• Establishing background network connections

• Making changes to system files or the registry

However, suspicious ≠ malicious, unless supported by verified evidence.

In fact, not all users running the same version of Windows Defender saw this warning, while other security solutions (Kaspersky, Bitdefender, ESET, Norton, etc.) reported nothing unusual. This strongly suggests the issue stems from a recent Microsoft database update, not from Zalo itself being compromised.

2. Media perspective: Beware of viral misinformation

With an app serving tens of millions of users in Vietnam, any security-related report can quickly spiral into a media storm.

Immediately after the Windows Defender warning, forums, Facebook groups, and TikTok were flooded with posts claiming “Zalo is infected with a virus” or “Zalo PC contains malware.” This fueled further panic among users.

Yet, no evidence from regulators or independent cybersecurity organizations has confirmed that Zalo was hacked or spreading malware. Jumping to premature conclusions risks damaging trust in a major local platform.

This highlights important lessons in cybersecurity communication:

• Users should be cautious with unverified information.

• Companies must respond promptly, clearly, and transparently to avoid an erosion of public confidence.

3. Technological perspective: The “mismatch” between app and OS

This incident also reflects a process-related issue: the compatibility between an application and the operating system.

Even minor changes in packaging, data compression, or execution mechanisms can sometimes trigger false alarms from the OS.

Typically, software publishers ensure safety by:

• Testing compatibility against major antivirus programs

• Registering their applications on whitelist databases with Microsoft and other vendors

• Updating immediately if execution methods change

If any step is missed, apps may be flagged as unsafe by Windows Defender or similar tools. This has happened before with many legitimate programs, not just Zalo.

_{What should users do if Zalo PC is flagged?}

At present, there is no evidence that Zalo PC is actually infected with malware. Still, caution is advised:

• Temporarily stop using Zalo PC if flagged by Windows Defender

• Update both Windows and Zalo to the latest versions

• Contact Zalo’s support team for official clarification

• Avoid rushing to uninstall the app, especially if important data is stored within

• Do not spread unverified claims online, to prevent unnecessary panic

Conclusion: Stay calm, but stay alert

The case of Zalo being flagged by Windows Defender illustrates the complex relationship between applications and security systems.

• For users: remain calm, follow official updates, and take basic security precautions.

• For Zalo developers: coordinate quickly with Microsoft to identify the root cause, while communicating openly to maintain trust.

• For the tech community: use this as a chance to raise awareness about distinguishing between “suspected issues” and “confirmed attacks.”

In today’s increasingly complex cybersecurity landscape, a combination of transparent communication, solid technology, and informed users is key to overcoming incidents like this in the future.

(Source: WhiteHat)