A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.
According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.
The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.
One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.
Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.
“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.
“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.
“The German government has still not officially attributed the attacks to Russia.”
This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.
Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.
We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”
Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”
Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.
German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.
The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.
This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – German officials, Bundestag)
China-sponsored threat groups like Salt Typhoon and Flax Typhoon are increasingly relying on multiple massive botnets comprising edge and IoT devices to run their cyber espionage and network intrusion campaigns, CISA and other security agencies say. The use of such "covert networks" makes it more difficult to detect and mitigate their campaigns.
The post China-Backed Groups are Using Massive Botnets in Espionage, Intrusion Campaigns appeared first on Security Boulevard.
Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. authorities on cyber-espionage charges, Bloomberg reported.
The case stands out because it ties a single suspect, Xu, to cyber operations targeting sensitive research and major systems beyond the U.S. Authorities say he targeted universities and researchers working on COVID-19 vaccines, treatments, and testing between 2020 and 2021. Prosecutors also link him to a China state-backed hacking ecosystem, framing the activity as part of broader, politically motivated cyber operations.
In July 2025, Italian police arrested a Chinese national, Zewei Xu, at Milan’s Malpensa Airport on a U.S. warrant. Xu was arrested at Malpensa Airport on July 3rd after arriving on a flight from China. Authorities accused the man of cyberespionage, U.S. authorities linked him to the China-nexus group Hafnium (aka Silk Typhoon), which carried out attacks against U.S. government, including the US Treasury.
“Zewei Xu is wanted by the FBI for allegedly being part of a team of hackers that allegedly carried out espionage operations, particularly in 2020 on anti-COVID vaccines being produced at the University of Texas.” reported Italian news agency ANSA.
“Interior ministry documents said he is also accused of being part of a “large-scale cyber intrusion campaign orchestrated” by the Chinese government known as ‘Hafnium’, which “targeted thousands of computers around the world” to get information on “various U.S. government policies.”
The suspect’s family claims he is an innocent IT technician. His wife opposes his extradition, saying his Italian visa proves no wrongdoing and that he works as an IT manager at Shanghai GTA Semiconductor Ltd, developing systems and networks.
“Both my husband and I do not agree with extradition to the United States,” his wife told the Postal Police after the man’s arrest. “Him getting an entry visa to Italy should be a confirmation that we have not committed crimes, so I cannot understand the reason for my husband’s arrest.”
Italian police seized the documents and the devices of the suspect as requested by the U.S. authorities.
In broader terms, the Xu Zewei case shows how cyber espionage is increasingly handled through legal and diplomatic channels as well as technical defense. The extradition process is part of the response, but the deeper challenge is preventing these operations from succeeding in the first place. That means better patching, faster detection, stronger identity controls, and closer international coordination across Europe and the United States.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
China-linked hackers breached an FBI surveillance system, exposing sensitive investigation data and prompting a “major incident” classification.
The post FBI Declares Surveillance System Breach a ‘Major Incident’ appeared first on TechRepublic.
Rapid7 Labs uncovered a China-linked threat group known as Red Menshen has been running a long-term espionage campaign by infiltrating telecom networks, mainly in the Middle East and Asia. Active since at least 2021, the group uses highly stealthy BPFDoor implants to maintain hidden access inside critical infrastructure.
This strategic positioning allows attackers to quietly monitor and potentially spy on government communications. Researchers describe these implants as extremely hard to detect, acting like “digital sleeper cells” embedded deep within telecom environments for prolonged surveillance.
Compromised telecoms threaten entire populations, not just individual companies, as they carry critical communications and digital identities. Over the past decade, similar state-backed intrusions have targeted multiple countries, exposing call records, sensitive communications, and trusted operator links, revealing a worrying global pattern.
Investigations reveal a structured, long-term campaign by a China-linked threat actor targeting telecommunications infrastructure. Rather than short-term intrusions, the operation plants “sleeper cells”, dormant footholds embedded deep within networks to maintain persistent access over extended periods. Recurring tools in the attackers’ arsenal include kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, forming a layered, stealthy access model. Experts highlighted the central role of BPFdoor, a Linux backdoor operating within the kernel that activates only when triggered by specially crafted packets, without exposing ports or command-and-control channels. By positioning below traditional visibility layers, this approach complicates detection and demonstrates a shift toward deep, covert tradecraft. BPFdoor is not an isolated tool but part of a broader, scalable intrusion model targeting telecom environments at high stealth.
Modern telecom networks are built in layers, making them highly valuable targets. At the edge are customer-facing systems like base stations, routers, VPNs, and firewalls, which connect to the core backbone that carries massive volumes of global traffic.
Attacks usually begin at the network edge by exploiting exposed services or valid accounts on devices like VPNs, firewalls, and virtualization hosts. Once inside, attackers deploy tools such as CrossC2 for command execution, TinyShell for stealthy persistence, and keyloggers or brute-force tools to steal credentials and move laterally toward core systems.
A key tool is BPFdoor, a stealthy Linux backdoor that hides in the kernel and activates only when it receives a specially crafted “magic” packet.
“BPFdoor first came to broader public attention around 2021, when researchers uncovered a stealthy Linux backdoor used in long-running espionage campaigns targeting telecommunications and government networks. The BPFDoor source code reportedly leaked online in 2022, making the previously specialized Linux backdoor more accessible to other threat actors.” reads the report published by Rapid7. “Normally, BPF is used by tools like tcpdump or libpcap to capture specific network traffic, such as filtering for TCP port 443. It operates partly in kernel space, meaning it processes packets before they reach user-space applications. BPFdoor abuses this capability. Rather than binding to a visible listening port, the implant installs a custom BPF filter inside the kernel that inspects incoming packets for a specific pattern, a predefined sequence of bytes often referred to as a “magic packet” or “magic byte.” “
Like a hidden lock that opens with the right code, it leaves no visible trace, making detection extremely difficult while enabling long-term, covert access across telecom environments.
Rapid7 Labs hunted BPFdoor variants by analyzing ELF samples and grouping them by code similarity, revealing both recurring clusters and outliers. Using custom tools, they discovered new features, including a variant “F” with a 26-instruction BPF filter and updated magic packets. Some samples inspect SCTP traffic, giving attackers access to telecom signaling, subscriber data, and location tracking. Other tactics include mimicking bare-metal servers like HPE ProLiant or container services such as Docker to blend into telecom hardware and 5G core environments. These strategies allow implants to remain hidden while embedding directly into the backbone, turning persistence into deep visibility across critical networks.
According to Rapid7, recent BPFdoor variants show significant evolution in stealth and control. Instead of simple magic packets, triggers are now hidden inside legitimate HTTPS traffic, passing through proxies, load balancers, and firewalls.
A clever padding mechanism, called the 26- or 40-byte “magic ruler,” ensures the activation marker lands at a fixed offset, surviving header changes. The malware also uses lightweight RC4-MD5 encryption for fast command execution and reuses proven routines from prior Chinese-linked malware. ICMP packets are used as a small control channel between infected systems. A special marker (0xFFFFFFFF) tells the receiving host to execute commands, letting attackers manage multiple compromised servers quietly across telecom and enterprise networks.
“BPFdoor and new eBPF malware families like Symbiote demonstrate how kernel packet filtering can be abused for stealth persistence. As defenders improve visibility at higher layers, adversaries are increasingly shifting implants deeper into the operating system.” concludes the report that provides Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, telecom)
Image Source: FBI[/caption]
Once inside a system, additional malware components are downloaded to expand capabilities and maintain long-term access.
A cyberattack targeting Signal and WhatsApp users has hit high-ranking German officials, including former BND Vice President Arndt Freytag von Loringhoven. The official reported being contacted by someone posing as Signal support and asked for his PIN. This incident highlights a broader cyber espionage campaign against sensitive individuals in security agencies and political positions.
“He is far from the only prominent victim of the global wave of attacks against user accounts at Signal and WhatsApp. According to SPIEGEL, high-ranking German politicians have reported themselves to the authorities as victims, and active officials in security agencies have also been attacked.” reads the report published by SPIEGEL. Back in February, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) classified the attack as “security-relevant” and urged those affected to come forward. The BfV stated that this warning met with a “high response” and that they believe it prevented even worse damage.”
German authorities warned Signal users to check for suspicious signs, such as unknown devices listed under “paired devices” or unexpected prompts to re-register accounts.
In the case of former BND official Arndt Freytag von Loringhoven, attackers used his compromised account to send a malicious link to contacts. He quickly warned them not to open it and deleted his account. Investigators believe the incident is part of ongoing hybrid campaigns linked to Russia. Given Loringhoven’s work on Russian hybrid warfare and his book Putin’s Attack on Germany, he was likely considered a high-value target.
“Signal said the recent incidents were targeted phishing attacks that allowed attackers to hijack accounts of officials and journalists. The company stressed that its encryption and infrastructure were not compromised and remain secure.” Signal wrote on X. “We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously. To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust.”
We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.
— Signal (@signalapp) March 9, 2026
To be clear: Signal’s encryption and infrastructure have not been…
Signal warned that the attacks rely on social engineering, with attackers posing as trusted contacts or fake support services to trick users into sharing verification codes or PINs. The company stressed it will never ask for these details via messages or social media and urged users to stay vigilant and never share login codes.
In early March, Dutch intelligence agencies (MIVD and AIVD) warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.
“Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees.” reads the alert by Dutch intelligence agencies. “The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.”
Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.
Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stress that apps like Signal and WhatsApp should not be used for classified or confidential information.
The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.
Dutch intelligence agencies recommend Signal users to carefully monitor their group chats for signs of compromised accounts. If a contact appears twice under the same or slightly altered name, this may indicate a compromised account or a victim-created account. Users should report suspicious cases to their organization’s information security team and verify the accounts through alternative channels such as email or phone. Group administrators should remove any unauthorized accounts, after which legitimate members can rejoin. Actor-controlled accounts may change display names, e.g., to “Deleted account,” or join via a shared Group Link, triggering notifications. Users should remain vigilant for unfamiliar members and unusual account behavior. If there is any suspicion that the group administrator has been compromised, it is recommended to leave the chat group and create a new one to ensure the security and integrity of communications within the group.
In February 2025, Google Threat Intelligence Group (GTIG) researchers warned of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculated that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will also be employed in regions outside Ukraine.
Russian hackers exploited Signal’s “linked devices” feature, they used specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.
“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”
Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools for data exfiltration.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, intelligence)
The FBI is investigating suspicious cyber activity in a system used to process surveillance and wiretap warrants, raising concerns about security risks to sensitive data.
The post FBI Investigates Suspicious Activity in Surveillance Platform appeared first on TechRepublic.
Thousands of iPhones were compromised using the Coruna exploit kit, which chained 23 iOS vulnerabilities into advanced attacks used for espionage and cybercrime.
The post Hackers Used New Exploit Kit to Compromise Thousands of iPhones appeared first on TechRepublic.
Explore how advancements in surveillance infrastructure and the democratization of intelligence have transformed espionage.
The post The Worm Turns – When the Hunter Becomes the Hunted Mass Surveillance and the Weaponization of the Data We Voluntarily Create appeared first on Security Boulevard.
Entrar