Technology

Hackers are targeting Signal with new QR code-linked cyberattack

February 21, 2025

Google researchers are warning of an ongoing phishing campaign
It distributes QR codes which grant the attackers access to people’s Signal accounts
The targets are mostly military personnel, experts warn

Russian state-sponsored threat actors have been increasingly targeting Signal Messenger users, with QR code-powered phishing attacks, malware, and more, experts have warned

A report from Google’s Threat Intelligence Group (GTIG) notes Signal’s use among military personnel, politicians, journalists, activists, and other high-risk groups has lately become widespread, triggering Russian state-sponsored threat actors’ increasing interest, particularly since the beginning of the Russo-Ukrainian war.

As a result, different threat actors (most notably APT44 and UNC5792) have been trying to abuse the “linked devices” feature in the attack. Linked devices allows users to connect multiple devices, such as laptops, tablets, and mobile devices, to the same account. To simplify the login process, users can scan a QR code from a device that’s already logged in, instead of typing in a password, or registering a new service.

QR codes

That being said, cybercriminals have started sending out phishing emails with invites to fake groups, different security alerts, and similar, which also carry a QR code. If the victim scans it, the attacker’s device gets logged into their account, getting access to contacts, messages, and more.

Since the phishing email doesn’t carry a malicious link, or attachment, that can be scanned by email security solutions, these emails often make it past filters and into people’s inboxes.

Beyond phishing, Russian and Belarusian threat groups are also using malware and specialized tools to exfiltrate Signal messages directly from compromised Android and Windows devices.

These efforts include scripts like WAVESIGN, which periodically extracts messages from Signal’s database, and Infamous Chisel, a known Android malware variant. Other actors, such as Turla and UNC1151, have leveraged PowerShell and command-line utilities to steal stored Signal messages from compromised computers, as well.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar