New 'Boss Scam' Uses DLL Sideloading to Hijack WhatsApp Web for CEO Fraud

A novel and technically advanced "Boss Scam" campaign is currently targeting enterprises in India, employing a sophisticated blend of social engineering and malware techniques to hijack WhatsApp Web sessions. This attack vector allows threat actors to impersonate senior executives, specifically CEOs, and instruct finance departments to initiate fraudulent wire transfers. The campaign has already been linked to significant financial losses, with one documented case involving a transfer of Rs. 2.45 crore (approximately $294,000 USD).

Unlike traditional CEO fraud schemes that might rely on email spoofing or compromised accounts, this new campaign tricks executives into forwarding a malicious ZIP file. This file, when opened, utilizes a technique known as DLL sideloading to secretly install malware on the executive's system. This malware then steals WhatsApp Web session tokens, granting attackers full access to the executive's account without needing to compromise their mobile device or bypass multi-factor authentication.

According to an advisory from India's National Cybercrime Threat Analytics Unit (NCTAU), part of the Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, this campaign represents a dangerous convergence of social engineering and technical exploitation. Many existing enterprise security infrastructures are not adequately prepared to detect or prevent such attacks. The primary targets are finance departments, as they are responsible for processing wire transfers and are conditioned to act swiftly on executive directives.

The attack chain begins when a target executive receives a convincing lure, often disguised as an urgent compliance notice from a regulatory body like the Reserve Bank of India. Believing the message to be legitimate, the executive forwards the malicious ZIP file to their finance team. This file typically contains an executable (.exe) and a Dynamic Link Library (.dll) file. When the .exe is run, Windows' default behavior of loading DLLs from the same directory allows the malicious DLL to execute silently in the background, evading many endpoint security solutions.

Once the DLL sideloading is successful, the malware targets and exfiltrates WhatsApp Web session tokens stored on the compromised Windows machine. With these tokens, attackers can effectively clone the executive's WhatsApp Web session on their own devices, gaining the ability to read and send messages as if they were the executive. In some instances, the malware has been observed to create a fallback communication channel by adding an attacker-controlled number to the executive's contact list under their name, ensuring continued control even if the hijacked session is detected and terminated.

The financial impact is often immediate and severe. Attackers leverage the hijacked session to instruct finance teams to wire funds to designated mule accounts. The speed at which these transfers are executed, often within minutes of the initial compromise, makes recovery extremely difficult. The organized nature and technical sophistication of the campaign suggest a well-resourced and meticulously planning threat actor.

To mitigate this threat, organizations are advised to implement a mandatory secondary verification step for all urgent financial transactions, such as a voice call or in-person confirmation, regardless of the communication channel used for the initial request. IT administrators should consider implementing Group Policies to restrict the execution of .exe and .dll files from untrusted directories. Furthermore, deploying advanced endpoint detection and response (EDR) solutions capable of identifying unauthorized session token theft and DLL injection is crucial. Executives should regularly audit their linked devices on WhatsApp Web and log out any unrecognized sessions.