Multiple Russian-aligned cyber threat actors have been targeting individuals via the privacy-centric messaging app Signal to gain unauthorized access to accounts. The approach primarily exploits Signal’s legitimate "linked devices" feature, which allows users to operate their accounts on multiple devices simultaneously. According to a report by the Google Threat Intelligence Group (GTIG), this tactic has become one of the most prevalent methods employed by these attackers.

One notable group, tracked as UNC5792, has been creating malicious QR codes. When victims scan these codes, their accounts become linked to a malicious version of Signal, enabling attackers to receive real-time copies of all messages sent to the victim. This method parallels tactics seen previously with other platforms like WhatsApp, where similar device-linking features were exploited.

In addition to UNC5792, another group identified as UNC4221, linked to the Ukrainian military, has used a custom phishing kit to impersonate legitimate applications utilized by military personnel. They also leverage a lightweight JavaScript payload named PINPOINT, designed to capture user data and geolocation from phishing pages.

Other adversaries targeting Signal include known entities such as Sandworm (APT44) and Turla, which have used various scripts and utilities to exfiltrate messages from compromised devices.

This emerging pattern of threats highlights a significant risk to secure messaging applications, especially as multiple actors intensify their focus on these platforms. Google emphasized that this threat is not just limited to phishing and malware but also includes physical access tactics, where attackers gain direct access to an unlocked device.

The report follows recent revelations about Russian threat actors using device code phishing to gain access to accounts on messaging services such as WhatsApp and Signal. With the growing emphasis on Signal by various threat groups, experts warn that the risks associated with secure messaging apps are likely to escalate.

Moreover, a new SEO poisoning campaign has been discovered, using fake download pages that impersonate popular applications to deliver backdoored executables targeted primarily at Chinese-speaking users. This signifies a broader trend of manipulation within connected technologies that could significantly undermine user privacy and security.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.