The emergence of the new “Boss Scam” represents a significant escalation in CEO fraud, employing multifaceted techniques that combine impersonation, Windows DLL sideloading, and the theft of WhatsApp Web sessions. Distinctively, this new scheme enables attackers to convert trusted executive communications into vehicles for malicious activities.
Recent advisories from India’s I4C (Cyber Coordination Centre) and NCTAU (National Cyber Forensics and Training Alliance) have brought this alarming trend to light. According to these reports, attackers commonly pose as regulatory officials or high-ranking executives, disseminating malicious archives. They exploit compromised accounts to issue fraudulent payment instructions, demonstrating a troubling innovation in cybercrime strategies.
From a technical perspective, the attack chain is designed for both speed and stealth. Victims are typically enticed into receiving a ZIP file that contains an executable (EXE) file along with a dynamic-link library (DLL). When the user launches the EXE, Windows automatically loads the associated DLL from the same directory. This classic sideloading approach not only helps the malware blend into normal operations but also allows it to evade standard file monitoring controls.
While the technical mechanics of this scam are intricate, the underlying strategy is predominantly rooted in social engineering. Typically, the perpetrator sends a message that suggests urgent regulatory action, which can create significant pressure among executives or finance personnel to open the file and disseminate it internally without due diligence. This psychological tactic exploits the urgency of corporate communications, effectively bypassing normal scrutiny.
After successfully infiltrating an endpoint, the malware’s primary objective is not to disrupt operations through ransomware; rather, it seeks to gain unauthorized access to active WhatsApp Web sessions along with any associated authentication credentials. By replicating the session on their end, attackers can send or read messages as if they were the genuine executive. This is particularly concerning, as finance departments often trust communications that appear to originate from established executive profiles—especially when they come from widely-used platforms like WhatsApp and are framed as urgent requests.
According to reports from Cyber Affairs, the attackers craft payment instructions that closely mirror the language and timing of genuine executive communications, enhancing the likelihood that employees will comply with these fraudulent requests.
In some variations of the scam, malicious software even manipulates local contact data, storing the attacker-controlled number under the name of the CEO. This method ensures that impersonation continues, even in the event that a hijacked web session is detected and subsequently logged out.
This sophisticated campaign is significant because it targets a particularly vulnerable area of enterprise defenses: the intersection of personal messaging applications, executive authority, and payment approval workflows. Such operations reveal how outdated assumptions about “safe” attachments can lead organizations astray, particularly when unrestricted EXE and DLL files are permitted to execute from user directories like Downloads or AppData.
In real-world scenarios, a single compromised endpoint has the potential to transform into a fraud relay that impacts the entire organization. Consequently, defense strategies must incorporate layers of protection. The guidance from I4C emphasizes the importance of out-of-band verification for any urgent transfers, direct voice or face-to-face confirmations for bank account modifications, and the immediate rejection of unsolicited software updates or compliance tools sent via WhatsApp.
Enterprises are encouraged to enforce stringent software restriction policies, actively monitor for unusual DLL loads and token theft behaviors, and regularly audit WhatsApp-linked devices on executives’ phones. There is a larger trend among various malware families that exploit WhatsApp Web session data, indicating that this method of attack is not an isolated phenomenon but rather a repeatable exploitation tactic.
The overarching lesson is clear: executive fraud should no longer be viewed as a mere email issue. The capability of attackers to hijack the very identity of executives in messaging platforms necessitates a comprehensive approach to security, treating WhatsApp Web, endpoint execution protocols, and payment verification as interconnected aspects of a singular attack surface. As organizations continue to navigate the complexities of cybersecurity, the need for vigilance and innovation becomes paramount.