CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Germany's Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them. The security authorities warned that while the current focus of the campaign appears to be Signal, the attack can also be extended to WhatsApp since it also incorporates similar device linking and PIN features as part of two-step verification. Similar attacks have been orchestrated by multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).

Timeline

  1. 06.02.2026 22:00 2 articles · 1d ago

    Germany Warns of Signal Account Hijacking Targeting Senior Figures

    Germany's domestic intelligence agency warns of state-sponsored threat actors targeting high-ranking individuals via messaging apps like Signal. These attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). The attacks involve impersonating Signal's support service and tricking targets into sharing their Signal PIN or an SMS verification code, leading to account hijacking. The second attack variant involves convincing the target to scan a QR code, abusing Signal’s legitimate linked-device feature to pair the account with the attacker’s device. Signal users are recommended to enable the 'Registration Lock' option and regularly review the list of devices with access to their account. The campaign involves threat actors masquerading as 'Signal Support' or a support chatbot named 'Signal Security ChatBot' to initiate direct contact with prospective targets, urging them to provide a PIN or verification code received via SMS, or risk facing data loss. Should the victim comply, the attackers can register the account and gain access to the victim's profile, settings, contacts, and block list through a device and mobile phone number under their control. There also exists an alternative infection sequence that takes advantage of the device linking option to trick victims into scanning a QR code, thereby granting the attackers access to the victim's account, including their messages for the last 45 days, on a device managed by them.

    Show sources
    Open in new tab
  2. 17.12.2025 21:14 2 articles · 1mo ago

    GhostPairing Campaign Abuses WhatsApp Device Linking

    Threat actors are abusing the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes in a campaign dubbed GhostPairing. The campaign was first spotted in Czechia but warns that the propagation mechanism allows it to spread to other regions. The attack starts with a short message from a known contact, sharing a link allegedly leading to an online photo of the victim. Victims are asked for their phone number, which the attacker uses to initiate a legitimate device-linking or login process. Once the victim enters the pairing code, the attacker has complete access to the account without needing to bypass any protections. Multiple threat actors, including cybercriminals, have adopted the technique in campaigns like GhostPairing to hijack accounts for scams and fraud.

    Show sources
    Open in new tab
  3. 25.11.2025 08:42 3 articles · 2mo ago

    CISA Warns of Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

    CISA has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns use sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. CISA has identified multiple campaigns, including the hijacking of Signal accounts via linked devices, Android spyware campaigns like ProSpy and ToSpy, and the exploitation of iOS and WhatsApp vulnerabilities to target fewer than 200 users. A new campaign, dubbed GhostPairing, abuses the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes. This campaign was first spotted in Czechia but has the potential to spread to other regions. Germany's domestic intelligence agency has also warned of state-sponsored threat actors targeting high-ranking individuals via messaging apps like Signal. These attacks combine social engineering with legitimate features to steal data from politicians, military officers, diplomats, and investigative journalists in Germany and across Europe.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

WhatsApp Introduces Lockdown-Style Security Mode for High-Risk Users

WhatsApp is rolling out a new security feature called Strict Account Settings to protect high-risk users, such as journalists and public figures, from advanced cyber attacks and spyware. This feature locks account settings to the most restrictive options and blocks media from unknown senders. Additionally, WhatsApp is adopting the Rust programming language for media sharing to enhance security and mitigate memory safety issues. The feature is gradually being rolled out and includes extreme safeguards such as two-step verification, blocking media from unknown senders, silencing calls from unknown people, and turning off link previews. WhatsApp has also patched zero-day vulnerabilities and faced legal actions against the NSO Group for spyware attacks.

Open in new tab

Malicious npm package 'lotusbail' steals WhatsApp credentials and messages

A malicious npm package named 'lotusbail' has been discovered, which poses as a legitimate WhatsApp Web API library. The package steals WhatsApp authentication tokens, session keys, intercepts messages, and exfiltrates contact lists and media files. It has been available for at least six months with over 56,000 downloads. The package also links the attacker's device to the victim's WhatsApp account, granting persistent access even after removal. Researchers recommend checking for rogue linked devices and monitoring runtime behavior for unexpected outbound connections. The package was uploaded by a user named 'seiren_primrose' in May 2025 and has been downloaded 711 times in the last week. It uses a malicious WebSocket wrapper to capture credentials and chats, and the stolen data is transmitted to an attacker-controlled URL in encrypted form. The package also uses a hard-coded pairing code to hijack the device linking process and enters into an infinite loop trap when debugging tools are detected.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab

New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Target Financial and Cryptocurrency Data

Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

Open in new tab

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information.

Open in new tab