Executive Summary
In late 2025, cybersecurity firm CTM360 revealed 'HackOnChat,' a sophisticated, large-scale social engineering campaign targeting WhatsApp users globally. Threat actors orchestrated the attack via fake authentication portals and impersonation webpages, tricking victims into divulging credentials that enabled account hijacking. The operation weaponized WhatsApp's familiar interface, leveraging psychological manipulation and deception, and resulted in thousands of compromised accounts and malicious URLs. Disruption of user communications and risk of further abuse (such as account-based impersonation or fraud) were observed.
This breach underscores the accelerating use of social engineering tactics in messaging platforms, reflecting a surge in identity-based attacks that exploit user trust in familiar interfaces. Security teams are increasingly alert to evolving credential-phishing methods that bypass traditional controls, especially as regulatory scrutiny of digital identity security intensifies.
Why This Matters Now
The HackOnChat campaign exemplifies a significant escalation in targeted, large-scale social engineering threats against everyday communication platforms. With messaging apps like WhatsApp being critical in both professional and personal settings, such campaigns can rapidly compromise wide networks of users, highlighting an urgent need for stronger identity verification and proactive threat detection defenses.
Attack Path Analysis
The attackers launched a global WhatsApp hijacking campaign by deceiving victims through impersonation and fake authentication pages, capturing their credentials (Initial Compromise). With access, they escalated privileges by taking over WhatsApp sessions or tokens (Privilege Escalation). Attackers potentially accessed other connected cloud accounts or services associated with compromised WhatsApp identities (Lateral Movement). Established command and control by maintaining access to the hijacked accounts and sending further malicious communications (Command & Control). Sensitive WhatsApp data or linked contacts could be exfiltrated or misused (Exfiltration). The campaign resulted in account loss, reputational harm, and potential follow-on fraud (Impact).
Kill Chain Progression
Initial Compromise
Description
Victims were lured to enter credentials on fake WhatsApp authentication pages, resulting in credential harvesting.
Related CVEs
CVE-2025-55177
CVSS 8.8An authorization flaw in WhatsApp's device synchronization allows unauthorized actors to manipulate sync messages, potentially leading to remote code execution.
Affected Products:
Meta Platforms WhatsApp – Prior to 2.2404.2.0
Exploit Status:
exploited in the wildCVE-2025-30401
CVSS 6.5A session verification flaw in WhatsApp Desktop for Windows and macOS could allow attackers to trick users into linking their WhatsApp account to a malicious desktop installation.
Affected Products:
Meta Platforms WhatsApp Desktop – Prior to 2.2404.2.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Web Service
Compromise Accounts: Social Media Accounts
Brute Force: Credential Stuffing
Spearphishing Link
User Execution: Malicious Link
Valid Accounts
Modify Authentication Process: Web Portal
Gather Victim Identity Information: Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Securing Authentication Credentials
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Protection and Prevention
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Phishing-resistant Authentication Mechanisms
Control ID: Identity Pillar - Phishing-resistant AuthN
NIS2 Directive – Risk Analysis and Security Policies
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
WhatsApp hijacking campaigns threaten financial communications, enabling social engineering attacks against clients and compromising encrypted transaction coordination channels.
Health Care / Life Sciences
Healthcare WhatsApp usage for patient coordination creates HIPAA compliance risks when accounts are compromised through deceptive authentication portals.
Professional Training
Training organizations using WhatsApp for client communication face credential theft risks, potentially compromising sensitive educational content and student data.
Government Administration
Government WhatsApp channels for citizen services become attack vectors for impersonation campaigns, threatening public trust and sensitive communications.
Sources
- CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChathttps://thehackernews.com/2025/11/ctm360-exposes-global-whatsapp.htmlVerified
- CISA Warns of WhatsApp 0-Day Vulnerability Exploited in Attackshttps://www.linkedin.com/posts/cmitsolutionslasvegas_cisa-warns-of-whatsapp-0-day-vulnerability-activity-7369055990454943744-_74iVerified
- Kaspersky warns of WhatsApp account hijacking scam involving fake votinghttps://me-en.kaspersky.com/about/press-releases/kaspersky-warns-of-whatsapp-account-hijacking-scam-involving-fake-votingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF and Zero Trust controls, such as segmentation, traffic visibility, egress policy enforcement, and anomaly detection, would have helped prevent lateral movement from hijacked SaaS sessions, flagged unusual authentication flows, and blocked data exfiltration attempts tied to compromised accounts.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious authentication flows and access attempts would be quickly flagged.
Control: Zero Trust Segmentation
Mitigation: Minimal privilege and enforced segmentation reduce access from compromised identities.
Control: East-West Traffic Security
Mitigation: Lateral movement is blocked across cloud and SaaS boundaries by policy.
Control: Multicloud Visibility & Control
Mitigation: Centralized monitoring detects ongoing attacker-controlled sessions.
Control: Egress Security & Policy Enforcement
Mitigation: Egress filtering prevents data exfiltration to unknown or malicious destinations.
Early intervention and real-time incident response contain business impact.
Impact at a Glance
Affected Business Functions
- Customer Communication
- User Authentication
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of personal messages, contact lists, and sensitive user data leading to privacy violations and identity theft.
Recommended Actions
Key Takeaways & Next Steps
- • Implement threat detection and anomaly response to identify suspicious SaaS authentications and phishing portals in real-time.
- • Enforce zero trust segmentation and least-privilege policies to minimize damage from compromised identities or lateral cloud movements.
- • Deploy strong egress controls to block data exfiltration and prevent outbound traffic to attacker-controlled infrastructure.
- • Maintain centralized multicloud visibility for rapid detection of ongoing attacks and support incident response.
- • Automate policy response and incident remediation with CNSF to reduce impact and restore affected accounts or services swiftly.
