Emerging Threats: WhatsApp Hijacks and Advanced Cyber Attacks
In the ever-evolving landscape of cybersecurity, recent developments have unveiled sophisticated methods employed by cybercriminals to exploit popular communication platforms like WhatsApp. These incidents underscore the critical need for heightened vigilance and proactive security measures among users and organizations.
GhostPairing Attack: A New Social Engineering Tactic
Cyber adversaries have introduced a novel social engineering technique known as the GhostPairing attack to hijack WhatsApp accounts. This method involves sending messages from compromised accounts containing links that mimic Facebook previews. When recipients click on these links, they are redirected to a counterfeit Facebook viewer page that prompts them to verify their identity. This verification process can take two forms:
1. QR Code Scanning: Victims are instructed to scan a QR code, which, unbeknownst to them, links the attacker’s browser to their WhatsApp account, granting unauthorized access.
2. Phone Number Entry: Alternatively, victims may be asked to enter their phone number on the fraudulent page. This number is then used to exploit WhatsApp’s legitimate device-linking feature, allowing attackers to gain control over the account.
This attack leverages WhatsApp’s device-linking functionality, a tactic reminiscent of methods used by state-sponsored actors to intercept communications on other platforms earlier this year. To detect potential compromises, users should navigate to Settings > Linked Devices within the app.
Maverick Malware: Targeting Brazilian Financial Institutions
A sophisticated malware campaign has been identified, specifically targeting Brazil’s largest banks. The attack begins with a loader that employs anti-analysis techniques to evade detection. Once the loader confirms the victim’s location in Brazil—by checking time zone, language, region, and date and time format—it downloads the main modules: SORVEPOTEL and Maverick.
Notably, Maverick is only installed after verifying the victim’s Brazilian locale. This malware has also been observed targeting hotels in Brazil, indicating a potential expansion of its scope. The attack chain utilizes an email-based command-and-control infrastructure, multi-vector persistence mechanisms, and advanced evasion techniques to maintain stealth and resilience.
HackOnChat: A Global WhatsApp Hijacking Campaign
Security firm CTM360 has uncovered a rapidly expanding campaign, dubbed HackOnChat, that targets WhatsApp users worldwide. This operation employs a network of deceptive authentication portals and impersonation pages to trick users into compromising their accounts.
The attackers host thousands of malicious URLs on inexpensive top-level domains, rapidly generating new pages through modern website-building platforms. Activity logs reveal hundreds of incidents in recent weeks, with significant surges across the Middle East and Asia.
GravityRAT Trojan: Stealing WhatsApp Backups
An updated version of the GravityRAT Android trojan has been detected, masquerading as messaging apps like BingeChat and Chatico. Active since June 2022, this malware can exfiltrate WhatsApp backups and execute commands to delete files. The malicious apps offer legitimate chat functionality based on the open-source OMEMO Instant Messenger app, making them particularly deceptive.
GravityRAT is a cross-platform malware capable of targeting Windows, Android, and macOS devices. Its ability to steal sensitive data and delete files poses a significant threat to users’ privacy and data integrity.
NSO Group’s Exploitation of WhatsApp
Legal documents from an ongoing lawsuit between Meta’s WhatsApp and the Israeli spyware vendor NSO Group have revealed that NSO exploited multiple vulnerabilities in WhatsApp to deliver its Pegasus spyware. Notably, even after Meta filed a lawsuit against NSO in October 2019, the company developed a new installation vector, known as Erised, to continue its operations.
Erised is a zero-click exploit that can compromise a victim’s phone without any interaction. This method was neutralized sometime after May 2020, indicating its use even after legal actions were initiated. The documents also highlight that NSO Group operated the spyware, contradicting prior claims that clients managed the system.
WhatsApp’s Response to Zero-Day Exploits
In August 2025, WhatsApp addressed a security vulnerability in its iOS and macOS messaging apps that may have been exploited in conjunction with a recently disclosed Apple flaw. The vulnerability, CVE-2025-55177, involved insufficient authorization of linked device synchronization messages, potentially allowing unauthorized processing of content from arbitrary URLs on a target’s device.
WhatsApp has notified less than 200 users who may have been targeted as part of this sophisticated spyware campaign. The company recommends performing a full device factory reset and keeping operating systems and the WhatsApp app up-to-date to ensure optimal protection.
Conclusion
These incidents highlight the evolving tactics of cybercriminals and the importance of maintaining robust security practices. Users are advised to exercise caution when interacting with unsolicited messages, regularly update their applications, and monitor linked devices for any unauthorized access. Staying informed about emerging threats is crucial in safeguarding personal and organizational data against increasingly sophisticated cyber attacks.
