CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

The FBI has directly attributed ongoing Signal and WhatsApp phishing campaigns to Russian Intelligence Services-affiliated threat actors, confirming the compromise of thousands of accounts globally and emphasizing that the attacks primarily target high-value individuals such as current and former U.S. government officials, military personnel, political figures, and journalists. The campaign bypasses end-to-end encryption by hijacking accounts through sophisticated social engineering, including impersonating support services and tricking users into sharing verification codes or scanning malicious QR codes to link attacker-controlled devices to accounts. The campaign was first flagged by CISA in late 2025 and has since been confirmed by German, Dutch, and now U.S. intelligence agencies. Targets include high-ranking politicians, military officers, diplomats, and investigative journalists across Germany and Europe, with additional confirmed targeting in the U.S. and other regions. Attackers gain access to private messages, contact lists, and group chats, enabling them to impersonate victims and launch further phishing campaigns. Signal has emphasized it will never initiate contact to request verification codes or PINs, and both Signal and WhatsApp users are advised to regularly review linked devices and avoid sharing verification codes. Russia-aligned threat clusters such as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185) have been associated with similar tactics, and the FBI’s attribution underscores the state-sponsored nature of these operations targeting sensitive communications. French authorities have also warned of a surge in similar campaigns targeting government officials, journalists, and business leaders. Recent FBI and CISA guidance clarifies that victims who share verification codes lose account access while attackers gain monitoring and impersonation capabilities, whereas those who scan malicious QR codes enable attackers to link devices and silently access all past and future messages without the victim losing access unless explicitly removed from the app settings.

Timeline

  1. 06.02.2026 22:00 6 articles · 1mo ago

    Germany Warns of Signal Account Hijacking Targeting Senior Figures

    The FBI and CISA jointly confirm that thousands of Signal and WhatsApp accounts belonging to high-value individuals have been compromised in ongoing campaigns attributed to Russian Intelligence Services-affiliated threat actors. The advisory quantifies the global scale of compromise and clarifies two distinct outcomes of the social engineering attacks: victims who share verification codes lose account access while attackers gain monitoring and impersonation capabilities, whereas victims who scan malicious QR codes enable attackers to link devices and silently access all past and future messages. Victims retain account access unless explicitly removed via app settings. The advisory also includes a warning from France's Cyber Crisis Coordination Center (C4) about a surge in similar campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders.

    Show sources
    Open in new tab
  2. 17.12.2025 21:14 2 articles · 3mo ago

    GhostPairing Campaign Abuses WhatsApp Device Linking

    Threat actors are abusing the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes in a campaign dubbed GhostPairing. The campaign was first spotted in Czechia but warns that the propagation mechanism allows it to spread to other regions. The attack starts with a short message from a known contact, sharing a link allegedly leading to an online photo of the victim. Victims are asked for their phone number, which the attacker uses to initiate a legitimate device-linking or login process. Once the victim enters the pairing code, the attacker has complete access to the account without needing to bypass any protections. Multiple threat actors, including cybercriminals, have adopted the technique in campaigns like GhostPairing to hijack accounts for scams and fraud.

    Show sources
    Open in new tab
  3. 25.11.2025 08:42 4 articles · 3mo ago

    CISA Warns of Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

    CISA has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns use sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. CISA has identified multiple campaigns, including the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities to target fewer than 200 users. A new campaign, dubbed GhostPairing, abuses the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes. This campaign was first spotted in Czechia but has the potential to spread to other regions. Germany's domestic intelligence agency has also warned of state-sponsored threat actors targeting high-ranking individuals via messaging apps like Signal. These attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. Dutch intelligence agencies have confirmed that Russian state-sponsored hackers are targeting government officials, military personnel, and journalists via Signal and WhatsApp phishing campaigns. Signal has acknowledged the phishing attacks and emphasized that their encryption and infrastructure remain robust. Attackers impersonate a fake 'Signal Security Support Chatbot' to trick users into sharing verification codes and PINs. Once attackers gain access to an account, they can change the associated phone number to one under their control, allowing them to access the victim's contact list and incoming messages. Victims may regain access to their chat history after re-registering, potentially leading them to believe nothing unusual occurred. A second attack method involves abusing Signal's and WhatsApp's device linking functionality by sending victims a malicious QR code or link.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WhatsApp Introduces Lockdown-Style Security Mode for High-Risk Users

WhatsApp is rolling out a new security feature called Strict Account Settings to protect high-risk users, such as journalists and public figures, from advanced cyber attacks and spyware. This feature locks account settings to the most restrictive options and blocks media from unknown senders. Additionally, WhatsApp is adopting the Rust programming language for media sharing to enhance security and mitigate memory safety issues. The feature is gradually being rolled out and includes extreme safeguards such as two-step verification, blocking media from unknown senders, silencing calls from unknown people, and turning off link previews. WhatsApp has also patched zero-day vulnerabilities and faced legal actions against the NSO Group for spyware attacks.

Open in new tab

Vishing Attacks Target Okta SSO Accounts for Data Theft

Threat actors are using vishing attacks to steal Okta SSO credentials, bypassing MFA and gaining access to enterprise cloud services. The attacks involve real-time manipulation of phishing pages and social engineering to trick employees into revealing their credentials and MFA codes. Once access is gained, attackers exfiltrate data from integrated platforms like Salesforce and demand extortion payments. The phishing kits used in these attacks are sold as a service and are actively employed by multiple hacking groups targeting identity providers and cryptocurrency platforms. Okta recommends using phishing-resistant MFA methods to mitigate these threats. Attackers use Telegram channels to receive stolen credentials and adapt their campaign based on the MFA or authentication solution the target is using. Phishing kits allow attackers to generate fake MFA notifications to bypass MFA protections.

Open in new tab

Malicious npm package 'lotusbail' steals WhatsApp credentials and messages

A malicious npm package named 'lotusbail' has been discovered, which poses as a legitimate WhatsApp Web API library. The package steals WhatsApp authentication tokens, session keys, intercepts messages, and exfiltrates contact lists and media files. It has been available for at least six months with over 56,000 downloads. The package also links the attacker's device to the victim's WhatsApp account, granting persistent access even after removal. Researchers recommend checking for rogue linked devices and monitoring runtime behavior for unexpected outbound connections. The package was uploaded by a user named 'seiren_primrose' in May 2025 and has been downloaded 711 times in the last week. It uses a malicious WebSocket wrapper to capture credentials and chats, and the stolen data is transmitted to an attacker-controlled URL in encrypted form. The package also uses a hard-coded pairing code to hijack the device linking process and enters into an infinite loop trap when debugging tools are detected.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Microsoft recently warned of phishing campaigns using OAuth URL redirection mechanisms to bypass conventional phishing defenses. These campaigns target government and public-sector organizations, redirecting victims to attacker-controlled infrastructure without stealing their tokens. Attackers abuse OAuth's standard behavior by crafting URLs with manipulated parameters or associated malicious applications to redirect users to malicious destinations. The attack starts with a malicious application created by the threat actor, configured with a redirect URL pointing to a rogue domain hosting malware. The malicious payloads are distributed as ZIP archives, leading to PowerShell execution, DLL side-loading, and pre-ransom or hands-on-keyboard activity. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges. Threat actors are now targeting technology, manufacturing, and financial organizations in campaigns that combine device code phishing and voice phishing (vishing) to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Unlike previous attacks that utilized malicious OAuth applications to compromise accounts, these campaigns instead leverage legitimate Microsoft OAuth client IDs and the device authorization flow to trick victims into authenticating. This provides attackers with valid authentication tokens that can be used to access the victim's account without relying on regular phishing sites that steal passwords or intercept multi-factor authentication codes. Hackers are abusing the legitimate OAuth redirection mechanism to bypass phishing protections in email and browsers to take users to malicious pages. The attacks target government and public-sector organizations with phishing links that prompt users to authenticate to a malicious application. The malicious OAuth applications are registered with an identity provider, such as Microsoft Entra ID, and leverage the OAuth 2.0 protocol to obtain delegated or application-level access to user data and resources. The attackers create malicious OAuth applications in a tenant they control and configure them with a redirect URI pointing to their infrastructure. The researchers say that even if the URLs for Entra ID look like legitimate authorization requests, the endpoint is invoked with parameters for silent authentication without an interactive login and an invalid scope that triggers authentication errors. This forces the identity provider to redirect users to the redirect URI configured by the attacker. In some cases, the victims are redirected to phishing pages powered by attacker-in-the-middle frameworks such as EvilProxy, which can intercept valid session cookies to bypass multi-factor authentication (MFA) protections. Microsoft found that the 'state' parameter was misused to auto-fill the victim’s email address in the credentials box on the phishing page, increasing the perceived sense of legitimacy. In other instances, the victims are redirected to a 'download' path that automatically delivers a ZIP file with malicious shortcut (.LNK) files and HTML smuggling tools. Opening the .LNK launches PowerShell, which performs reconnaissance on the compromised host and extracts the components required for the next step, DLL side-loading. A malicious DLL (crashhandler.dll) decrypts and loads the final payload (crashlog.dat) into memory, while a legitimate executable (stream_monitor.exe) loads a decoy to distract the victim. Microsoft suggests that organizations should tighten permissions for OAuth applications, enforce strong identity protections and Conditional Access policies, and use cross-domain detection across email, identity, and endpoints.

Open in new tab

New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Target Financial and Cryptocurrency Data

Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

Open in new tab