Threat actors have been on a tear, using encrypted messaging apps like WhatsApp, Signal, and Telegram to deliver spyware and phishing attacks – all to compromise the personal devices of high-profile individuals, from government officials to non-profit CEOs.
The US Cybersecurity and Infrastructure Security Agency (CISA) put out a national alert on Monday about the threat, based on a compilation of security research, much of it published in the last few months.
“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps),” the CISA advisory warns.
The threat actors have been found primarily targeting high-value individuals in the US, the Middle East, and Europe, aiming to compromise the victims’ personal devices and gain prolonged access.
🔒Cyber threat actors are using spyware and other advanced social engineering techniques to target private messaging apps & compromise mobile devices. See our Alert for more details and ways to protect your mobile communications 🔗https://t.co/IcK3niMjMp pic.twitter.com/q6txBWGcsg
undefined CISA Cyber (@CISACyber) November 24, 2025
The targets are said to include current and former high-ranking government, military, and political officials, as well as those from civil society organizations (CSOs) such as non-profits, charities, and advocacy groups.
Using “sophisticated targeting and social engineering techniques to deliver spyware,” once the threat actor gets access to the victim's messaging app, the attacker will then deploy “additional malicious payloads” to further compromise the device.
These types of attacks are said to include proven tactics, techniques, and procedures (TTPs) such as:
- Phishing and malicious device-linking QR codes that compromise victim accounts and then link them to actor-controlled devices.
- Zero-click exploits, which require no direct action from the device user.
- Impersonation of messaging app platforms, such as Signal and WhatsApp.
Nation-state threats fueling 2025 attacks
From Google Threat Intelligence Group (GTIG) to Palo Alto’s Unit 42, Cybernews has covered several of these campaigns, dating back to February of this year.
One of the first known messaging app attacks of 2025 was the handiwork of Russian nation-state actors attempting to gather intelligence by eavesdropping on the Signal communications of Ukrainian soldiers.
GTIG discovered the Russian cybercriminal groups, including Sandworm and Turla, exploiting the encrypted messaging app's “linked devices” feature, which enables Signal to be used on multiple devices after scanning a QR code.
When successful, GTIG said future Signal messages would then be “delivered synchronously to both the victim and the threat actor in real-time without the need for full-device compromise,” otherwise known as a zero-click attack.
What’s more, Russian hackers were found reusing the same technique to further compromise other encrypted messaging apps, including WhatsApp and Telegram.
In another zero-click example, hackers deploying an Android-based spyware, dubbed Landfall, exploited several zero-day vulnerabilities to target Samsung Galaxy smartphones, among others, according to Unit 42.
The Landfall campaign – in which hackers sent a malicious image embedded with spyware via WhatsApp – was tracked from mid-2024 through early 2025.
Also, taking advantage of WhatsApp, other attacks were observed, allegedly carried out by Israeli spyware Paragon. The attacks, which reportedly targeted individuals across two dozen countries, instead used malicious documents to deliver their payload over WhatsApp.
The massive number of WhatsApp-related attacks eventually even led the White House to ban the use of WhatsApp on the personal devices of members of Congress, possibly contributing to many US President Donald Trump's cabinet officials switching to Telegram, and sparking the "Signalgate" firestorm.
The Cybernews community is talking about this. Be a part of the conversation.
Other recent spyware-fueled campaigns mentioned in the CISA bulletin include “ClayRat,” which distributed Android spyware to Russians using fake Telegram channels and malicious phishing sites, as well as the ProSpy campaign, which uses fake Signal plugins to compromise users.
To prevent becoming a victim, CISA urges all messaging app users to follow its recently updated Mobile Communications Best Practices Guide for high-value individuals and the Mitigating Cyber Threats with Limited Resources guide for CSOs.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked