The HackOnChat campaign, uncovered by CTM360, is a sophisticated and rapidly expanding global operation targeting WhatsApp users through social engineering and deceptive web portals. The attackers create thousands of malicious URLs hosted on low-cost top-level domains, leveraging modern website-building platforms to scale their phishing infrastructure quickly. The campaign employs two primary exploitation techniques: session hijacking and account takeover. Session hijacking abuses WhatsApp Web's linked-device feature, allowing attackers to hijack active sessions if users are tricked into scanning malicious QR codes or visiting spoofed portals. Account takeover involves deceiving victims into providing authentication keys or codes via fake security alerts, WhatsApp Web lookalike pages, and spoofed group-invite messages. These phishing sites are optimized with multilingual support and country-code selectors to target users worldwide effectively. Once attackers gain control, they exploit compromised accounts to defraud the victim's contacts by requesting money or sensitive information, and to harvest personal, financial, or private data from messages and media. The campaign's propagation method creates a chain reaction, as compromised accounts send phishing messages to their contacts, amplifying the attack's reach. The campaign has seen a notable surge in activity in the Middle East and Asia but remains a global threat. The attack vector relies heavily on social engineering, exploiting the trust users place in WhatsApp's familiar interface rather than exploiting software vulnerabilities. No known exploits or patches exist since the threat is based on phishing and session misuse rather than technical flaws. The campaign underscores the persistent risk posed by social engineering attacks targeting widely used communication platforms.

For European organizations, the HackOnChat campaign poses significant risks primarily through compromised employee or customer WhatsApp accounts. Account takeovers can lead to unauthorized access to sensitive communications, enabling data leakage of confidential business information, intellectual property, or personal data protected under GDPR. The use of hijacked accounts to propagate phishing scams can damage organizational reputation and lead to financial fraud or social engineering attacks targeting employees or partners. The campaign's ability to spread through contact networks increases the risk of widespread compromise within organizations and their extended ecosystems. Additionally, compromised accounts may be used to bypass multi-factor authentication if WhatsApp is integrated into corporate identity or communication workflows. The social engineering nature of the attack means that even well-secured technical environments remain vulnerable if users are not adequately trained. The threat also raises concerns about privacy and compliance, as stolen data could include personal information subject to strict European data protection laws. The surge in activity in regions outside Europe suggests a lower but still present risk, especially in countries with high WhatsApp usage among business users.

European organizations should implement targeted user awareness training focused on recognizing phishing attempts via WhatsApp, emphasizing the risks of scanning unknown QR codes and interacting with suspicious links or messages. Deploy advanced email and messaging filtering solutions capable of detecting and blocking malicious URLs associated with the HackOnChat campaign. Encourage the use of WhatsApp's built-in security features, such as two-step verification, and educate users on verifying linked devices regularly to detect unauthorized sessions. Integrate endpoint detection and response (EDR) tools to monitor for unusual WhatsApp Web session activities or unauthorized device linkages. Establish incident response procedures specifically addressing compromised messaging accounts, including rapid account recovery and notification protocols. Collaborate with threat intelligence providers to receive timely updates on emerging malicious URLs and phishing tactics related to this campaign. For organizations using WhatsApp for business communications, consider additional authentication layers or alternative secure communication platforms less susceptible to social engineering. Promote a culture of skepticism around unsolicited security alerts and group invites, especially those requesting sensitive information or financial transactions. Finally, ensure compliance teams are prepared to handle data breach notifications if personal or corporate data is compromised through these attacks.