India cyber watchdog warns CEOs of 'Boss Scam' via WhatsApp hijack

India's cybercrime agency Monday warned corporate executives about a new wave of attacks that hijack WhatsApp sessions after tricking targets into installing malware. The Indian Cyber Crime Coordination Centre (I4C), part of the Home Ministry, said fraudsters are impersonating regulators such as the Reserve Bank of India to demand urgent compliance action.

The attack starts with an email or WhatsApp message to a CEO or senior official. The message claims a regulatory violation or threatens a security upgrade, asks for a response within hours. It carries a compressed .zip archive that contains an executable (.exe) and a Dynamic Link Library (.dll) file. When the executive extracts and runs the file on a Windows machine, the malware installs a Trojan dropper that steals active web WhatsApp session tokens.

Armed with those tokens, the attacker messages finance staff from the executive's real WhatsApp account, instructing them to transfer money to mule bank accounts. The I4C advisory described multiple cases where the CEO forwarded the archive to a finance officer, who then executed it and triggered the breach.

The twist in the 'Boss Scam' is the session hijack. The attacker never needs a password or two-factor code. Once the token is grabbed, the fraudster works from within the real account. Finance teams see a message from the actual CEO – the name, profile picture, chat history. The scam bypasses the usual authentication barriers.