The phishing attacks have been ongoing since early 2023, coinciding with Russia's invasion of Ukraine, and are believed to be carried out by the Kremlin-backed cyber espionage group Sandworm.

In response to these threats, Signal has collaborated with Google to enhance security features, including a new user interface that alerts users about linked devices.

The increased focus on Signal underscores a growing threat to secure messaging apps, which is expected to intensify as adversaries seek to exploit these platforms.

Signal's popularity among military personnel, politicians, and journalists makes it a prime target for espionage activities, highlighting the app's vulnerability amid ongoing geopolitical tensions.

Russian hackers have increasingly exploited vulnerabilities in the messaging app Signal, particularly targeting Ukrainian soldiers through sophisticated phishing techniques involving QR codes.

The group known as UNC5792 has been modifying legitimate Signal group invite links to redirect users to fake pages, effectively linking their devices to the attackers' control.

A recent report from Google's cybersecurity services, published on February 19, 2025, confirms that Russian intelligence agencies have successfully implemented these spying methods.

Signal has advised users to be cautious of messages labeled 'urgent' or 'important' from unverified senders, as these are often used in phishing attempts.

Attackers have employed JavaScript payloads and lightweight scripts, such as a tool called PINPOINT, to collect user information and geolocation data, indicating a focus on surveillance.

Compromising Signal via device linking is challenging to detect, as linked devices can remain unnoticed for extended periods, making it a low-profile method for attackers.

Google's report warns that these phishing techniques could extend beyond military targets, posing a threat to dissidents and activists globally.

The report emphasizes the need for heightened awareness and security measures among potential targets, including strong passwords and enabling two-factor authentication.