Key Findings

• CISA has issued an alert warning of threat actors actively using commercial spyware and remote access trojans (RATs) to target users of mobile messaging apps like Signal and WhatsApp.

• The attackers employ sophisticated social engineering and targeting techniques to deliver spyware and gain unauthorized access to victims' messaging apps, enabling further device compromise.

• The targeting appears opportunistic but often focuses on high-value individuals such as government, military, and political officials, as well as civil society members across the U.S., Middle East, and Europe.

Background

CISA has observed multiple cyber threat actors leveraging commercial spyware to target users of various mobile messaging applications. These actors use a range of tactics, including phishing messages, malicious QR codes, zero-click exploits, and impersonation of popular apps like Signal and WhatsApp, to deliver spyware and gain unauthorized access to victims' messaging accounts.

Russia-Aligned Actors Targeting Signal

CISA has identified Russia-aligned threat actors abusing Signal's "linked devices" feature to hijack target user accounts. This allows the attackers to gain access to the victim's messaging history and enable further malicious activities.

Android Spyware Campaigns in the UAE

CISA has observed Android spyware campaigns, codenamed ProSpy and ToSpy, that impersonate apps like Signal and ToTok to target users in the United Arab Emirates. These campaigns deliver malware that establishes persistent access to compromised Android devices and exfiltrates data.

ClayRat Targeting Users in Russia

An Android spyware campaign called ClayRat has targeted users in Russia using Telegram channels and lookalike phishing pages impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube to trick users into installing malware that steals sensitive data.

Attacks Chaining iOS and WhatsApp Vulnerabilities

CISA has identified a targeted attack campaign that likely chained two security flaws in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to target fewer than 200 WhatsApp users.

LANDFALL Spyware Targeting Galaxy Devices

A targeted attack campaign has involved the exploitation of a Samsung security flaw (CVE-2025-21042) to deliver an Android spyware dubbed LANDFALL to Galaxy devices in the Middle East.

Recommended Mitigations

To counter the threat, CISA urges highly targeted individuals to review and adhere to a range of best practices, including:

• Using end-to-end encrypted communications

• Enabling FIDO-based phishing-resistant authentication

• Avoiding SMS-based multi-factor authentication

• Using a password manager

• Regularly updating software

• Enabling security features on mobile devices

• Limiting app permissions and avoiding personal VPNs

Sources

• https://thehackernews.com/2025/11/cisa-warns-of-active-spyware-campaigns.html

• https://securityaffairs.com/185047/malware/cisa-spyware-and-rats-used-to-target-whatsapp-and-signal-users.html

• https://x.com/TheCyberSecHub/status/1993211609117012260

• https://x.com/Alevskey/status/1993213289187185127

• https://www.reddit.com/r/SecOpsDaily/comments/1p65voi/cisa_warns_of_active_spyware_campaigns_hijacking/

• https://ckh.enc.edu/news/cisa-warns-of-active-spyware-campaigns-against-signal-and-whatsapp-users/