Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users
Summary
Hide ▲
Show ▼
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns leverage sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. CISA has identified multiple campaigns, including the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities to target fewer than 200 users. The agency recommends several best practices to mitigate these threats.
Timeline
-
25.11.2025 08:42 1 articles · 23h ago
CISA Warns of Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users
CISA has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns use sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. CISA has identified multiple campaigns, including the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities to target fewer than 200 users.
Show sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
Information Snippets
-
CISA has identified multiple spyware campaigns targeting high-value individuals using Signal and WhatsApp.
First reported: 25.11.2025 08:421 source, 1 articleShow sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
-
Threat actors use sophisticated social engineering and zero-click exploits to compromise mobile devices.
First reported: 25.11.2025 08:421 source, 1 articleShow sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
-
Campaigns include the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities.
First reported: 25.11.2025 08:421 source, 1 articleShow sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
-
Targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe.
First reported: 25.11.2025 08:421 source, 1 articleShow sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
-
CISA recommends using end-to-end encrypted communications, enabling FIDO phishing-resistant authentication, and avoiding SMS-based MFA.
First reported: 25.11.2025 08:421 source, 1 articleShow sources
- CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users — thehackernews.com — 25.11.2025 08:42
Similar Happenings
Lighthouse and Lucid PhaaS Campaigns Target 316 Brands Across 74 Countries
The phishing-as-a-service (PhaaS) offerings Lighthouse and Lucid have been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. The campaigns leverage various phishing kits and templates to impersonate brands and harvest credentials. The operations are attributed to the Chinese-speaking XinXin group and other associated actors. Google has filed a civil lawsuit against China-based hackers behind the Lighthouse PhaaS platform, which has ensnared over 1 million users across 120 countries and made over $1 billion over the past three years. The platform uses over 194,000 malicious domains and has compromised between 12.7 million and 115 million payment cards in the U.S. alone. The phishing kits offer template customization and real-time victim monitoring, with prices ranging from $88 for a week to $1,588 for a yearly subscription. The campaigns also highlight a broader trend of collaboration and innovation within the PhaaS ecosystem, with threat actors returning to email as a primary channel for harvesting stolen credentials. A growing cluster of fraudulent domains impersonating major Egyptian service providers, including Fawry, Egypt Post, and Careem, has been identified during a recent threat-hunting operation by Dark Atlas. The discovery points to an expanding campaign run by the Smishing Triad, a Chinese-speaking cybercrime group known for large-scale SMS phishing operations. New malicious domains were uncovered after analysts examined HTTP headers from the group’s infrastructure and used those indicators to run targeted searches on Shodan. The investigation highlighted the group’s reliance on Telegram to promote and sell its phishing-as-a-service offerings. A separate but related development involves Darcula, a large-scale PhaaS platform operating more than 20,000 spoofed domains across 100 countries. Netcraft reports that an upgraded version, Darcula 3.0, introduced anti-detection features, an enhanced admin panel, a card-cloning tool, and AI-driven automation that allows operators to build phishing pages with a single click. Both the Smishing Triad and emerging PhaaS services like Darcula demonstrate the increasing sophistication of global phishing operations.