Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and the Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign carried out by a potentially state-sponsored threat actor that involves carrying out phishing attacks on the Signal messaging app.
“The focus is on high-ranking targets in politics, the military and diplomacy, as well as investigative journalists in Germany and Europe,” the agencies said. “Unauthorized access to Messenger accounts not only allows access to confidential private communications but potentially compromises the entire network.”
A notable aspect of the campaign is that it does not involve the distribution of malware or the exploitation of any security vulnerabilities in the privacy-focused messaging platform. Rather, the ultimate goal is to weaponize its legitimate features to gain covert access to a victim’s chats as well as their contact lists.
The attack chain is as follows: Threat actors impersonate a support chatbot called “Signal Support” or “Signal Security Chatbot” to initiate direct contact with potential targets, urging them to provide a PIN or verification code received via SMS, or risk data loss.
If the victim complies, the attackers can register the account and gain access to the victim’s profile, settings, contacts and block list through a device and mobile phone number under their control. While a stolen PIN does not enable access to the victim’s past conversations, a threat actor can use it to intercept incoming messages and send messages impersonating the victim.
The targeted user, who has by now lost access to his or her account, is instructed to register for a new account by the threat actor masquerading as a support chatbot.
An alternative infection sequence also exists that takes advantage of the device linking option to get victims to scan a QR code, giving the attackers access to the victim’s account, including the last 45 days of messages, on a device they manage.
However, in this case, the targeted individuals continue to have access to their account without realizing that their chats and contact lists are also now exposed to threat actors.
Security officials warned that while the current focus of the campaign appears to be on Signal, the attack could also be extended to WhatsApp as it also includes similar device linking and PIN features as part of two-step verification.
“Successful access to messenger accounts allows not only to view confidential personal communications, but also to potentially compromise the entire network through group chats,” the BFV and BSI said.
While it is not known who is behind the activity, similar attacks have been carried out by several Russia-aligned threat groups tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185), according to reports from Microsoft and Google Threat Intelligence Group early last year.
In December 2025, Zen Digital also detailed another campaign called Ghostpairing, where cybercriminals have taken to the device linking feature on WhatsApp to impersonate potential users or seize control of accounts to commit fraud.
To stay safe from the threat, users are advised to avoid connecting to support accounts and entering their Signal PIN in the form of text messages. An important line of defense is to enable Registration Lock, which prevents unauthorized users from registering the phone number on another device. It is also advisable to periodically review the list of linked devices and remove any unknown devices.
The development comes as the Norwegian government has accused Chinese-backed hacking groups, including Salt Typhoon, of exploiting vulnerable network devices to break into several organizations in the country, and has also asked Russia to closely monitor military targets and associated activities and Iran to keep an eye on dissidents.
Stating that Chinese intelligence services attempt to recruit Norwegian citizens to gain access to classified data, the Norwegian Police Protection Service (PST) said these sources are encouraged to set up their own “human source” networks by advertising part-time positions on job boards or contacting them via LinkedIn.
The agency further warned that China is “systematically” exploiting collaborative research and development efforts to strengthen its security and intelligence capabilities. It is worth noting that according to Chinese law, software vulnerabilities identified by Chinese researchers must be reported to authorities no later than two days after discovery.
“Iranian cyber threat actors compromise dissidents’ email accounts, social media profiles and personal computers to gather information about themselves and their networks,” the PST said. “These actors have advanced capabilities and will continue to develop their methods to conduct increasingly targeted and intrusive campaigns against individuals in Norway.”
The disclosure follows an advisory from CERT Polska, which assessed that a Russian nation-state hacking group called Static Tundra may be behind coordinated cyberattacks targeting more than 30 wind and photovoltaic farms, a private company in the manufacturing sector, and a large combined heat and power plant (CHP) that supplies heat to nearly half a million customers in the country.
“At each affected facility, there was a FortiGate device present that acted as both a VPN concentrator and firewall,” it said. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi-factor authentication.”
