A new breed of executive impersonation attack is making rounds across Indian enterprises, and it is far more technical than the typical CEO fraud most organizations have prepared for.
This campaign, dubbed the “Boss Scam,” blends social engineering with a malware technique called DLL sideloading to silently take over a senior executive’s WhatsApp Web session.
Once inside, attackers use the hijacked account to instruct finance teams to wire large sums of money to fraudulent accounts.
What makes this campaign particularly dangerous is the way it turns trust into a weapon. Attackers do not crack passwords or break into email servers.
They convince a CEO that a regulatory body, such as the Reserve Bank of India, has issued an urgent compliance notice.
The executive, believing the threat is real, forwards a malicious ZIP file to the finance team, bypassing most corporate security filters without raising any red flags.
Analysts at Ministry of Cyber Affairs, citing an advisory from the National Cybercrime Threat Analytics Unit (NCTAU) under India’s Cyber Crime Coordination Centre (I4C), Ministry of Home Affairs, identified this threat and noted several high-profile cases with the same method.
The Ministry said in a report shared with Cyber Security News (CSN) that this campaign marks a dangerous convergence of social engineering and technical exploitation that many enterprise security setups are not built to handle.
Finance departments are targeted because they handle wire transfers and act fast on executive instructions.
When a message appears to come directly from the CEO’s verified WhatsApp account, most employees do not stop to question it. That instinctive trust is exactly what attackers exploit, and the financial damage happens almost instantly after each attack lands.
In documented cases, transfers as large as Rs. 2,45,00,000 have been directed to mule accounts within minutes.
Once moved, the money is extremely difficult to recover. The speed and precision of this campaign suggests that the threat actors are well-organized and have done detailed reconnaissance before striking each target.
Hackers Hijack WhatsApp Web Sessions
The attack starts when a target opens a ZIP archive disguised as a compliance update. Inside are two files: an executable (.exe) and a Dynamic Link Library (.dll).
Since Windows naturally trusts DLL files placed in the same folder as a running application, the .exe quietly calls and runs the malicious .dll in the background.
This DLL sideloading technique lets the malware settle onto the device without alerting most endpoint security tools.
The malware then targets WhatsApp Web session tokens stored on the compromised Windows machine. Stealing these tokens lets attackers clone the executive’s WhatsApp Web session on their own device.
They gain full read and send access to all active conversations without touching the executive’s phone or bypassing any multi-factor authentication on the mobile device.
In a secondary variant, if the malware achieves deeper access, attackers quietly save an attacker-controlled number under the CEO’s name in the contact list.
This creates a backup channel to send fraudulent transfer instructions if the hijacked session is detected and shut down. This fallback mechanism reveals just how methodically the entire campaign has been engineered.
Protecting Your Organization Against This Threat
The most effective safeguard is straightforward: require a live voice call or in-person confirmation before processing any urgent transaction, regardless of the platform the request came from.
Finance teams should never act on a WhatsApp message alone, even from a verified executive account. IT administrators should configure Group Policy to block .exe and .dll files from running in untrusted directories like Downloads and AppData.
Enterprises should deploy next-generation endpoint detection tools capable of flagging unauthorized session token extraction and DLL injection activity.
Executives using WhatsApp for business should audit linked devices by going to Settings, then Linked Devices, and logging out of any unrecognized session.
All staff should also know that legitimate regulators will never send compliance tools through unsolicited WhatsApp attachments or ZIP files.
