Multiple Russia-aligned threat actors have been discovered exploiting Signal’s messaging platform to compromise user accounts. Google’s Threat Intelligence Group (GTIG) revealed that attackers are primarily abusing Signal’s legitimate ‘linked devices’ feature to gain unauthorized access.

Key Attack Methods:
– Malicious QR codes disguised as group invites or security alerts
– Phishing pages mimicking military applications
– Device-linking exploitation for real-time message interception

Notable Threat Actors:
1. UNC5792 (overlapping with UAC-0195): Creates fake Signal group invitations
2. UNC4221 (UAC-0185): Targets Ukrainian military personnel through Kropyva application impersonation
3. Sandworm (APT44): Utilizes WAVESIGN Windows Batch script
4. Turla: Deploys PowerShell scripts
5. UNC1151: Uses Robocopy for message exfiltration

Recent Developments:
– Signal has released security updates for Android and iOS platforms
– Similar attacks observed on WhatsApp by Russian group Star Blizzard
– Device code phishing techniques targeting multiple messaging platforms

Security Implications:
The attacks demonstrate an increasing threat to secure messaging applications, encompassing both remote cyber operations and close-access attacks. Users are strongly advised to update their Signal applications to the latest version to benefit from enhanced security features.

Additionally, a new SEO poisoning campaign has been identified, targeting Chinese-speaking users through fake download pages of popular applications, including Signal, delivering malware known as MicroClip.