Full Report
Germany's Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. "The focus is on high-ranking targets in
Analysis Summary
# Threat Actor: Likely State-Sponsored Actor (Associated with Russia-aligned Clusters)
## Attribution & Identity
* **Identification:** A likely state-sponsored threat actor.
* **Known Aliases and Associated Groups:** Similar attacks have been orchestrated by Russia-aligned threat clusters tracked as **Star Blizzard**, **UNC5792 (aka UAC-0195)**, and **UNC4221 (aka UAC-0185)**, based on previous reports.
* **Known Associations:** The campaign is being tracked following warnings from Germany's BfV and BSI.
## Activity Summary
The actor is currently engaged in a malicious cyber campaign primarily focused on phishing attacks delivered via the **Signal messaging app** to gain covert access to victim accounts. The goal is to compromise networks through these secure communication platforms. A prior related campaign, codenamed **GhostPairing** in December 2025, used similar device-linking tactics on WhatsApp against unspecified targets.
## Tactics, Techniques & Procedures
* **Social Engineering:** Masquerading as "Signal Support" or a support chatbot named "Signal Security ChatBot" to initiate contact.
* **Credential Harvesting/Account Takeover (ATO):** Luring victims to provide their Signal **PIN** or SMS verification codes under the guise of preventing data loss.
* **Device Linking Exploitation:** Tricking victims into scanning a QR code to utilize Signal’s device linking feature, granting attackers access to their device (and messages from the last 45 days).
* **Covert Access:** If the PIN is stolen, the actor gains control over the victim's profile, settings, contacts, and block list on a device under their control, allowing them to capture incoming messages and send messages impersonating the victim (past conversations are not accessible via PIN alone).
* **Network Compromise:** The ultimate objective is leveraging compromised messenger accounts, potentially via group chats, to compromise entire networks.
* **Note:** This specific campaign does **not** involve distributing malware or exploiting vulnerabilities in the Signal application itself; it weaponizes legitimate features.
## Targeting
* **Sectors:** Politics, Military, and Diplomacy.
* **Geography:** Germany and Europe.
* **Victims:** High-ranking targets within the specified sectors, as well as **investigative journalists**.
## Tools & Infrastructure
* **Malware Families Used:** None explicitly mentioned, as the campaign relies on social engineering and feature manipulation rather than malware.
* **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
This campaign highlights the growing trend of state-sponsored actors exploiting the social engineering vectors within end-to-end encrypted messaging apps (like Signal and potentially WhatsApp) to bypass traditional security defenses. Successful compromise risks unauthorized viewing of confidential communications and potential lateral movement into broader organizational networks via group chats.
## Mitigations
* Users are advised to **refrain from engaging with support accounts** claiming to be Signal/WhatsApp support.
* Users must **never enter their Signal PIN** or SMS verification code as dictated via text message.
* **Enable Signal Registration Lock** to prevent unauthorized registration of the phone number on a different device.
* **Periodically review the list of linked devices** within the messenger app and remove any unknown entries.