GhostPairing
GhostPairing is a WhatsApp account hijacking technique/campaign that abuses WhatsApp’s legitimate device-linking or pairing functionality to give an attacker access to a victim’s account. Reporting describes victims in Czechia being tricked into linking an attacker-controlled device to their WhatsApp account, after which the attacker can hijack or access the account through the paired session. The activity has been referred to as “The ghosts of WhatsApp: How GhostPairing hijacks accounts” and is specifically characterized as a WhatsApp device-linking attack. High-confidence details in the provided content are limited to this account-takeover behavior and the observed targeting in Czechia; no additional malware family, payload, threat actor attribution, or technical indicators of compromise are provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WhatsApp device-linking attack technique used to gain access to victims' WhatsApp accounts (mentioned alongside GhostChat activity).
Technique and campaign for hijacking WhatsApp accounts by abusing legitimate device pairing features, enabling persistent access and further social engineering.
Technique/tool referenced in the context of hijacking WhatsApp accounts; no additional technical details provided in the supplied content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.