Hackers Hijack WhatsApp Web Sessions to Launch CEO Fraud Through DLL Sideloading
9 min. read 
Published on
Indian cybercrime authorities have warned companies about a “Boss Scam” that hijacks WhatsApp Web sessions and uses real executive accounts to order fraudulent money transfers.
The attack combines executive impersonation, malicious ZIP files, Windows malware, and DLL sideloading. Once attackers compromise a senior official’s Windows device, they can take over an active WhatsApp Web session and message finance employees from the executive’s real account.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The warning comes from the official PIB advisory, which says the Indian Cyber Crime Coordination Centre, or I4C, observed the trend in attacks targeting high-ranking officials and executives.
How the WhatsApp Boss Scam works
The campaign starts with a message sent by email or WhatsApp. Attackers impersonate regulators or official bodies and claim the company must respond urgently to a compliance issue, security update, or regulatory violation.
The message includes a compressed ZIP archive. The archive contains a Windows executable file and a DLL file, which together launch the malware when the victim extracts and runs the payload.
The I4C advisories page lists the threat as “Regulatory and Executive Impersonation for WhatsApp Account Takeover using Malicious Windows Executables and High value financial fraud.”
| Attack stage | What attackers do | Business impact |
|---|---|---|
| Regulatory lure | Impersonate a regulator or urgent compliance authority | Pressures executives into acting quickly |
| Malicious ZIP | Send an archive containing an EXE and DLL file | Moves the attack from messaging into endpoint compromise |
| DLL sideloading | Use Windows DLL loading behavior to run malicious code | Helps the malware avoid simple detection |
| WhatsApp Web hijack | Steal active session tokens from the executive’s device | Lets attackers message staff from a trusted account |
| Payment fraud | Order urgent transfers to mule bank accounts | Can cause immediate financial loss |
The attack targets executive trust
This scam works because finance teams often trust direct messages from senior leaders. When a payment request appears inside an executive’s real WhatsApp account, employees may treat it as genuine.
The attack also bypasses many email-focused controls. A malicious file may arrive through WhatsApp, while the fraudulent payment instruction may come later through a hijacked WhatsApp Web session.
The PIB release says attackers use access to the executive’s real WhatsApp account to contact accounts or finance employees and instruct them to make immediate payments to mule accounts.
Why DLL sideloading matters
DLL sideloading abuses the way Windows applications load dynamic-link libraries. If an application loads a DLL by name without a full path, Windows searches specific folders to find the file.
Microsoft’s documentation on dynamic-link library search order explains that if an attacker controls one of the searched directories, the attacker can place a malicious DLL in that location.
In this campaign, the ZIP archive contains an executable and a DLL. When the executable runs, the malicious DLL can load in the background and help the attacker establish a foothold on the Windows device.
- The payload arrives as a compressed ZIP archive.
- The victim extracts and runs a Windows executable.
- The executable loads a malicious DLL placed near it.
- The malware targets active WhatsApp Web session data.
- Attackers use the hijacked account to order fraudulent transfers.
WhatsApp Web session takeover changes the risk
The attackers do not need to steal the executive’s phone. They target active WhatsApp Web sessions on the compromised Windows desktop or laptop.
WhatsApp’s own guidance on unlinking a device tells users to open WhatsApp on the primary phone, go to Linked devices, select a device, and log it out.
That linked-device model is useful for work, but it also gives attackers a target. If malware can hijack an active session, the attacker may use the executive’s account without asking for a fresh phone login.
A second variant manipulates contacts
I4C also described another version of the scam. If attackers gain deeper control of the device, they can modify contacts and save an attacker-controlled number under the CEO’s name.
This gives the criminal a backup path. Even if the WhatsApp Web session gets closed, a finance employee may still receive instructions from a number that appears to belong to the executive.
The I4C advisory listing confirms that the campaign includes malicious Windows executables, WhatsApp account takeover, and high-value financial fraud.
| Variant | Technique | Why it works |
|---|---|---|
| WhatsApp Web hijack | Steals active session tokens from the executive’s Windows device | Messages appear from the real executive account |
| Contact manipulation | Saves a scammer-controlled number under the CEO’s name | Employees may trust the displayed contact name |
| Regulatory impersonation | Claims a regulator requires urgent compliance action | Creates panic and reduces normal verification |
Recent cases show the financial damage
Separate media reports show how quickly similar WhatsApp impersonation attacks can cause large losses. The Economic Times reported that two Indian companies lost nearly ₹3.5 crore after employees opened malicious ZIP files and followed WhatsApp transfer instructions.
In one reported case, an aluminium trading firm lost ₹1.98 crore. In another, a jewellery design firm lost ₹1.5 crore after attackers allegedly used WhatsApp impersonation to push urgent payment requests.
The Economic Times report said cyber police later launched awareness efforts and urged companies to verify financial instructions through multiple channels.
This is CEO fraud beyond email
The Boss Scam follows the logic of business email compromise, but it moves the final instruction into WhatsApp. That makes it harder for companies that focus only on email security gateways and phishing filters.
The FBI’s Business Email Compromise guidance says these scams exploit messages that appear to come from a known source making a legitimate request.
In this campaign, the trusted source may be the actual WhatsApp account of a senior executive. That makes human verification more important than platform trust.
| Traditional CEO fraud | WhatsApp Boss Scam |
|---|---|
| Often arrives through spoofed or compromised email | May arrive through a hijacked WhatsApp Web session |
| Targets finance employees with urgent payment requests | Targets finance employees with the same urgent pressure |
| Often relies on fake sender addresses or lookalike domains | Can use the executive’s real messaging account |
| Email security tools may detect some attempts | Messaging-platform abuse may bypass email controls |
How finance teams should respond
The strongest control is out-of-band confirmation. No company should approve an urgent transfer or account change based only on a WhatsApp message, email, or chat request.
Finance teams should confirm high-value payments through a live phone call using a known saved number, a verified internal directory, or an in-person approval process. They should not call a number supplied inside the suspicious message.
The FBI BEC guidance also advises victims to contact their financial institution immediately if a transfer was sent, so the bank can contact the receiving institution.
- Require voice or in-person confirmation for urgent transfers.
- Use two-person approval for high-value payments.
- Never approve bank account changes through WhatsApp alone.
- Check requests against purchase orders, invoices, and internal approvals.
- Escalate any request that uses unusual urgency or secrecy.
- Report suspicious activity through internal security teams and cybercrime channels.
What IT teams should block
IT administrators should treat ZIP files containing executable content as high risk, especially when they arrive through messaging apps or personal accounts.
Windows controls can reduce the attack surface. Organizations can block unknown EXE and DLL execution from user-writable folders such as Downloads, Desktop, Temp, AppData, and other profile directories.
Microsoft’s DLL search order documentation shows why search paths matter. Attackers can abuse unsafe loading behavior when they can place a malicious DLL where an application will search for it.
| Control | Purpose |
|---|---|
| Application control | Blocks unknown executables and DLLs from user-writable locations |
| Endpoint detection | Flags DLL sideloading, suspicious child processes, and token theft behavior |
| Attachment filtering | Stops ZIP archives containing EXE or DLL files before execution |
| WhatsApp linked-device audits | Finds unknown web or desktop sessions tied to executive accounts |
| Payment workflow controls | Prevents one-message approvals for large transfers |
Executives should review linked devices
Executives who use WhatsApp for business should regularly check linked devices. This should become a routine security step, not only something done after a suspected compromise.
WhatsApp’s log out instructions explain how users can remove linked WhatsApp Web or desktop sessions from the primary phone.
Companies should also ask executives to separate personal messaging from financial approval workflows. If WhatsApp must be used, it should never serve as the sole approval channel for payments.
- Open WhatsApp on the primary phone.
- Go to Settings or More options.
- Open Linked devices.
- Review every connected web or desktop session.
- Log out of any device that looks unfamiliar or unused.
- Report unknown sessions to the security team immediately.
What victims should do after a suspected attack
If a company suspects this attack, it should first stop pending transfers and contact the bank. Speed matters because mule accounts can move funds quickly after receiving them.
The organization should isolate the affected Windows device, collect forensic evidence, revoke active WhatsApp Web sessions, and reset credentials tied to the executive’s machine.
The reported Indian cases show why rapid reporting matters. In one case, authorities reportedly froze part of the transferred amount after the company approached cyber police.
Bottom line for businesses
The WhatsApp Boss Scam shows how CEO fraud has moved beyond inboxes. Attackers now use malware to turn trusted messaging accounts into fraud channels.
Companies should not treat WhatsApp messages from executives as proof of approval. They should treat them as a request that still needs independent verification.
The safest rule is simple: no urgent financial transfer should move because of a single message. A live confirmation step can stop a multimillion-rupee fraud before it leaves the company’s account.
FAQ
The WhatsApp Boss Scam is a CEO fraud campaign where attackers hijack or impersonate a senior executive’s WhatsApp account and instruct finance employees to transfer money to fraudulent accounts.
Attackers send a malicious ZIP file that contains a Windows executable and DLL file. When the victim runs it, malware compromises the Windows device and targets active WhatsApp Web session data.
DLL sideloading is a technique where attackers place a malicious DLL where a legitimate executable will load it. This can let malware run through normal Windows application loading behavior.
Companies should require voice or in-person confirmation for urgent payments, use two-person approval for large transfers, block unknown EXE and DLL files, and train finance staff not to trust WhatsApp requests alone.
Executives should regularly check WhatsApp Linked devices, log out of unknown or unused sessions, avoid opening ZIP files from unverified sources, and report suspicious compliance messages to the security team.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages