Introduction
Russian state-aligned threat actors are increasingly exploiting features of Signal Messenger to target individuals involved in sensitive military and government communications, particularly in the context of the ongoing conflict in Ukraine. This activity poses significant risks to secure messaging applications, highlighting the need for enhanced security measures.
Description
Russian state-aligned threat actors are intensifying their efforts to exploit Signal Messenger’s features, particularly targeting individuals likely to exchange sensitive military and government communications amid the ongoing war in Ukraine [1]. This includes accounts used by Ukrainian military personnel, government officials [6] [8], journalists [4] [8] [9], and activists [1] [4] [8]. A primary tactic involves the “linked devices” feature [2] [3], which allows a single Signal account to be accessed on multiple devices through QR code pairing [3]. This method has become a primary attack vector for groups such as UNC5792 (tracked as UAC-0195 by Ukraine’s CERT), UNC4221 (also known as UAC-0185), and APT44 (Sandworm) [8] [9], enabling real-time eavesdropping on secure conversations without requiring full device compromise [2] [6] [7]. Notably, UNC5792 modifies legitimate Signal group invite links to redirect users to fake pages that initiate unauthorized device linking [4]. In one significant incident, a compromised Signal account was linked to a Russian artillery strike against a Ukrainian army brigade [5], resulting in casualties [5].
One sophisticated method employed by UNC5792 involves manipulating Signal group invitation protocols [8]. Attackers send invitations that appear to be legitimate Signal group invites but contain malicious QR codes that [1], when scanned [1] [5] [6], link the victim’s account to an attacker-controlled device [1] [6] [7]. This manipulation tricks users into linking their accounts to threat actor-controlled devices [7] [8], facilitating real-time message synchronization while maintaining the appearance of encryption. Parallel campaigns by UNC4221 utilize a customized phishing kit that mimics Ukraine’s Kropyva artillery coordination system [8], embedding malicious QR codes on phishing sites designed to look like legitimate Signal instructions [1]. This group has also leveraged compromised trusted contacts to send fraudulent group invites, further enhancing the effectiveness of their phishing efforts. Additionally, attackers have used fake Signal security alerts to lure victims into linking their devices to adversary-controlled infrastructure [4].
Phishing campaigns have been employed to distribute these malicious QR codes, often disguised as legitimate Signal resources such as group invites or security alerts [2] [7]. Threat actors have misused “Group Link” invite pages to redirect users to deceptive URLs, facilitating the linking of devices instead of simply adding users to group chats. Tailored phishing operations have embedded these codes in pages mimicking applications used by the Ukrainian military [2], with some campaigns utilizing phishing kits that replicate trusted applications. A JavaScript payload known as PINPOINT has been used to gather user information and geolocation data, complicating detection efforts. Close-access operations have also been reported [2], where Russian military forces link Signal accounts on captured devices to actor-controlled infrastructure for further exploitation [2].
Beyond linking devices [2] [3], Russian and Belarusian threat actors have been observed stealing Signal database files from Android and Windows devices [2] [7]. APT44 has utilized a Windows Batch script named WAVESIGN to periodically exfiltrate recent Signal messages [2], while the Android malware Infamous Chisel has been designed to search for Signal’s local database [2]. Turla has also employed PowerShell modules for exfiltrating Signal Desktop messages [2], and Belarus-linked UNC1151 has used Robocopy to copy and store messages and attachments for future theft. Complementary malware like PINPOINT has been used to gather geolocation data via browser APIs [8], further complicating detection efforts.
The focus on Signal by various threat actors underscores a growing threat to secure messaging applications [2], which is expected to intensify [2] [9]. This threat encompasses both remote cyber operations [2], such as phishing and malware delivery [2], and close-access operations [2], where brief access to a target’s unlocked device can lead to compromise [2]. The implications extend beyond Signal to other messaging platforms like WhatsApp and Telegram [2] [7], which have also become targets for these groups [2] [7]. To mitigate the risk of device-linking hijacking [3], users are advised to practice good security hygiene [3], such as using complex passwords [4], keeping devices updated [3], regularly reviewing linked devices [3] [4], and being cautious with unsolicited QR codes and group chat invites [3]. Additionally, organizations are encouraged to prioritize user education on QR code risks and implement device auditing protocols alongside technical defenses [8]. For high-risk users, enabling two-factor authentication and activating Lockdown Mode on iPhones can further reduce attack surfaces.
Conclusion
The exploitation of Signal Messenger by Russian state-aligned threat actors highlights a significant threat to secure communication platforms, with potential implications for other messaging services like WhatsApp and Telegram. To counter these threats [4], users and organizations must adopt robust security practices, including complex passwords [4], regular device audits, and caution with QR codes. High-risk users should consider additional measures such as two-factor authentication and Lockdown Mode on iPhones. As these threats are likely to persist and evolve, ongoing vigilance and adaptation of security strategies are essential.
References
[1] https://www.darkreading.com/mobile-security/russian-groups-target-signal-messenger-in-spy-campaign
[2] https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
[3] https://arstechnica.com/information-technology/2025/02/russia-aligned-hackers-are-targeting-signal-users-with-device-linking-qr-codes/
[4] https://siliconangle.com/2025/02/19/google-report-warns-russian-threat-groups-targeting-signal-messenger/
[5] https://www.computerweekly.com/news/366619473/Warning-over-privacy-of-encrypted-messages-as-Russia-targets-Signal-Messenger
[6] https://www.infosecurity-magazine.com/news/russian-hackers-signal-spy/
[7] https://securityaffairs.com/174397/cyber-warfare-2/russia-linked-threat-actors-exploit-signals-linked-devices-feature.html
[8] https://cybersecuritynews.com/russian-hackers-attacking-signal-messenger/
[9] https://www.csoonline.com/article/3828182/russian-cyberespionage-groups-target-signal-users-with-fake-group-invites.html
