India’s Securities and Exchange Board (SEBI) sounded an alarm on July 17, 2026, over a sophisticated “Boss Scam” that turns a routine Windows task—opening a ZIP file—into a vehicle for hijacking WhatsApp Web sessions and approving fraudulent corporate payments. The advisory warns that cybercriminals are combining AI-generated deepfakes with malware-laced archives to impersonate CEOs and trick finance teams into wiring money.

SEBI’s alert, prompted by an earlier June 22 warning from the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, targets listed companies and regulated entities. It describes a scam where attackers pose as senior officials—often using voice cloning or manipulated video calls—to demand urgent fund transfers. But the most insidious twist exploits an everyday Windows workflow: opening a compressed attachment while WhatsApp Web is active.

The Scam: How a ZIP File Can Steal Your WhatsApp Web Session

According to details published by The Hans India and the Free Press Journal, the attack unfolds in a few chilling steps. A CEO or senior executive receives an email or WhatsApp message that appears to come from a trusted source—perhaps a regulator like the Reserve Bank of India—claiming a compliance failure or mandating a security update. The message insists the recipient open an attached ZIP file immediately.

Inside that archive are two files: a malicious executable (.exe) and a dynamic link library (.dll). If the victim extracts and runs the executable on a Windows device, a Trojan dropper gains persistence on the system. Crucially, it then hijacks active WhatsApp Web session tokens, giving the attacker full access to the victim’s legitimate WhatsApp account as it appears on the linked browser.

SEBI notes that once the attacker controls the executive’s WhatsApp Web session, they can message the finance or accounts department directly, ordering a transfer to specified mule accounts. Because the message arrives from the real executive’s number and contact, it bypasses the skepticism staff might apply to a new or unfamiliar profile. In some variations, the malware also allows the attacker to modify the device’s contact list, saving a criminal-controlled number under the CEO or Managing Director’s name. Subsequent calls or chats from that number then appear entirely authentic.

The I4C advisory emphasizes that the malware specifically targets Windows endpoints, and that the ZIP delivery mechanism relies on social engineering—the victim is pressured into opening the file and ignoring security warnings. The attack doesn’t require sophisticated hacking; it abuses the trust inherent in a known contact and a familiar file format.

Who’s at Risk? From Home Users to Corporate Finance

The scam’s design makes it dangerous for several groups of Windows users:

For executives and senior managers: You are the primary target. A message that looks like an urgent request from a regulator or business partner can compel you to act quickly—especially if it threatens compliance penalties. Opening the ZIP and running its contents compromises not only your workstation but your identity on WhatsApp. Once your session is taken over, the attacker can issue payment instructions in your name to your own staff.

For finance and accounting personnel: You become the secondary victim. A payment demand from your boss’s real WhatsApp account carries an authority that’s hard to challenge. The typical checks—looking for a spoofed email address or an unknown phone number—fail completely. SEBI’s warning specifically advises that no fund transfer should ever be executed solely on the basis of an instruction received through WhatsApp, Microsoft Teams, email, or any social platform.

For everyday Windows users at home: While the immediate targets are businesses, the malware’s session-hijacking capability is a threat to anyone who uses WhatsApp Web on a shared or personal Windows PC. A stolen session could be used to scam your contacts, spread malware, or exfiltrate private conversations. The I4C has confirmed that the attack vector is not limited to corporate environments; the same ZIP-lure could be disguised as anything from a job offer to a utility bill.

For IT and security administrators: The technical impact is severe. A successful infection grants attackers persistence on a Windows endpoint and the ability to extract browser-stored session tokens. Traditional antivirus may not detect the custom payload immediately, and the abuse of a legitimate WhatsApp Web session bypasses many network-based alert systems. The advisory specifically calls out the need to prevent unauthorized executables from running in user-writable directories, where archive-delivered malware typically lands.

How We Got Here: The Evolution of CEO Fraud

The “Boss Scam” (also called CEO fraud or business email compromise) is not new. For years, criminals have spoofed executive emails to direct finance staff to wire money. But two shifts have made the scam far more effective:

  • AI-powered impersonation: Voice cloning and deepfake video calls, now accessible through consumer tools, let attackers create extremely convincing real-time impersonations. SEBI’s advisory explicitly mentions these techniques, noting they make it difficult for employees to trust their own eyes and ears.
  • Session hijacking instead of account theft: Previously, a scammer might create a fake WhatsApp account and hope the target would not notice the different number. By compromising a legitimate, already-trusted account via malware, the attacker eliminates that detection point. The I4C warning notes that attackers specifically seek to “hijack active WhatsApp Web session tokens” rather than steal login credentials.

The timeline leading to the July alert shows escalating concern: The I4C’s June 22 public notice flagged a “rising trend” of CEO/MD impersonation across email, WhatsApp, and Teams. Within weeks, SEBI issued its own advisory on July 17, citing the I4C warning and adding details about the ZIP-malware technique. The regulator’s move underscores the severity of the threat to listed companies and financial entities, where a single fraudulent transfer can cause massive losses.

Immediate Steps for Windows Users and IT Admins

SEBI and the I4C have outlined clear defensive measures. Here’s what you need to do, whether you’re an individual user, a finance department, or an IT team.

For All Windows Users

  • Do not open ZIP or executable attachments received through WhatsApp, personal email, or any chat platform unless you independently verify the sender. Regulators and legitimate organizations will never distribute software updates or security fixes via WhatsApp attachments.
  • Log out of inactive WhatsApp Web sessions immediately. Open WhatsApp on your phone, go to “Linked Devices,” and log out any unfamiliar or unused sessions. This severs an attacker’s access if your machine has been compromised.
  • If you receive an urgent message demanding action, call the person back using a known phone number—not one provided in the message. A quick phone call can expose a deepfake or a session hijack.

For Finance Teams

  • Implement a mandatory out-of-band verification for any fund transfer request above a certain threshold, for new beneficiary additions, or for changes to existing payee details. The verification must use a pre-established contact method: a listed corporate phone number, an in-person confirmation, or a secure internal approval system—not the communication channel that delivered the request.
  • Never process a payment based solely on a WhatsApp, Teams, or email message, even if it seems to come from the CEO. Treat all such instructions as untrusted until independently confirmed.
  • Report any suspected fraud immediately to the national cybercrime helpline (1930 in India) or via the Cyber Crime portal.

For IT and Security Administrators

  • Block executables and DLLs from running in user-writable locations. The I4C specifically recommends Software Restriction Policies (SRP) to prevent unknown .exe and .dll files in user profiles from executing. On modern Windows 10/11 environments, evaluate Windows Defender Application Control (WDAC) or AppLocker to create stricter application allowlisting. Also deploy Microsoft Defender Attack Surface Reduction (ASR) rules that guard against threats originating from email and chat apps.
  • Audit WhatsApp Web linked devices across your organization. Consider a policy that requires users to log out of WhatsApp Web when not actively using it, and routinely scan for unknown sessions. This can be incorporated into endpoint security reviews.
  • Educate executives and finance personnel on the specific mechanics of this scam. Show them how a ZIP attachment can hijack their WhatsApp identity, and stress that the organization’s financial controls must never be circumvented—even for an urgent-seeming request from a senior leader.
  • Review incident response plans to treat an unexplained payment request, a suspicious ZIP file, and an unknown linked WhatsApp device as potentially connected evidence, not isolated incidents. Coordination between IT security and finance is critical.

What’s Next: The Global Implications

SEBI’s advisory is aimed at Indian companies, but the scam’s core components are not geographically bound. The malware payload works on any Windows machine, and WhatsApp Web is used by millions of businesses worldwide. The combination of deepfake social engineering and session-hijacking malware represents an escalation that corporate security teams everywhere will need to address.

Expect more regulators to issue similar warnings, and expect the attack tools to become more polished. For now, the most effective defense remains a blend of technical controls—blocking untrusted executables—and procedural rules that refuse to let a chat message, no matter how convincing, move corporate money on its own.