Researchers have identified a new social engineering technique known as GhostPairing that enables threat actors to hijack WhatsApp accounts by abusing the platform’s legitimate linked device feature. The method allows attackers to gain full access to messages, media, and group conversations while the victim’s phone continues to function normally, making detection difficult. The activity was first observed in Czechia and reflects a broader pattern of attackers repurposing trusted digital workflows to gain unauthorized access.
The GhostPairing attack begins with messages sent from already compromised WhatsApp accounts, often containing a link designed to resemble a Facebook style preview. When victims click the link, they are redirected to a fake viewer page that imitates a legitimate social media interface and prompts them to verify their identity before viewing the content. As part of this process, victims are instructed to scan a QR code or enter their phone number. Researchers explained that attackers open WhatsApp Web in their own browsers, capture the legitimate pairing QR code, and embed it into the fake page. Victims are then guided to scan the code through WhatsApp’s Linked Devices option, unknowingly pairing the attacker’s browser with their account. In an alternative flow, victims are directed to enter their phone number, which is forwarded to WhatsApp’s genuine link device via phone number feature, generating a numeric pairing code that is relayed back to the attacker. Security analysts noted that the technique mirrors earlier campaigns attributed to Russian state sponsored actors who exploited similar device linking features on Signal and WhatsApp earlier this year. Users have been advised to regularly review active sessions through Settings and Linked Devices to identify suspicious connections.
The GhostPairing disclosure emerged alongside a series of global cyber incidents that demonstrate how rapidly threat actors are adapting familiar tools and tactics. European authorities recently dismantled an international scam network operating fraudulent call centers across Ukraine, with coordinated action involving agencies from the Czech Republic, Latvia, Lithuania, and Ukraine, supported by Eurojust. The network reportedly targeted more than 400 victims across Europe, extracting over €10 million through impersonation schemes and remote access fraud. Approximately 100 individuals were involved in operations ranging from phone based deception to document forgery and cash collection, with suspects sacked following coordinated raids in early December. At the same time, researchers reported a rise in modular malware such as SantaStealer, a Russian language information stealer marketed on underground forums, designed to operate in memory and exfiltrate credentials, financial data, and sensitive documents while evading traditional detection.
Additional findings during the same period highlighted the persistent misuse of digital infrastructure. Analysts exposed how bulletproof hosting providers continue to enable rapid redeployment of malicious services, undermining takedown efforts. Investigations into DDoSia revealed a constantly shifting command and control architecture with servers active for only short periods, primarily targeting Ukraine and European allies. Other campaigns included malware distribution through RuTube videos promoting fake Roblox cheats, phishing attacks abusing Google Application Integration services, fake CAPTCHA prompts deploying malware, and tax themed phishing delivering remote access tools. Researchers also flagged nearly 1,000 exposed Model Context Protocol servers leaking sensitive data due to missing authorization, as well as large scale reconnaissance targeting Modbus devices controlling solar infrastructure. Together, these developments illustrate how social engineering, infrastructure abuse, and automation are converging to reshape the global cyber threat environment, with GhostPairing serving as a clear example of how trusted user flows can be turned against unsuspecting victims.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
