A highly sophisticated Brazilian banking trojan named TCLBANKER, tracked under the campaign REF3076, this malware represents a major update to the older Maverick and SORVEPOTEL families.

It stands out because it uses a fake, signed Logitech installer to infect systems and spreads automatically via WhatsApp and Microsoft Outlook.

The attack begins when a user downloads a malicious ZIP file. Inside this archive is an installer that abuses a real, digitally signed Logitech program called Logi AI Prompt Builder.

By using a technique known as DLL side-loading, the hackers trick the legitimate Logitech application into loading a malicious file instead of its normal system components. Once activated, this hidden loader takes control of the system to prepare the next stages of the attack.

TCLBANKER is carefully built to hide from security researchers. Before it fully unpacks, it checks whether the computer is running in a security sandbox. It looks for debugging tools, virtual machines, and specific antivirus software.

It also checks the system language and time zone to ensure the victim is actually located in Brazil. If the environment does not match a real Brazilian user, the payload refuses to decrypt, keeping the malware completely hidden from automated security scanners.

TCLBANKER Malware Targets Users

Once the malware confirms it is on a real victim’s machine, it launches the main banking trojan.

This tool continuously monitors the user’s web browser to detect whether the user visits one of 59 targeted banks, financial technology platforms, or cryptocurrency websites. When a match is found, the malware connects to a remote server.

To steal passwords, the trojan uses full-screen overlays built with Microsoft’s Windows Presentation Foundation. These overlays cover the entire screen and look exactly like real banking prompts or official Windows Update screens.

They freeze the desktop, block keyboard shortcuts such as the Windows key or Escape, and turn off screen-capture tools so the victim cannot record the fraud. The user is forced to enter their security codes or personal identification numbers directly into the hacker’s fake screen.

What makes TCLBANKER incredibly dangerous is its ability to spread automatically. The first worm module targets WhatsApp Web. The malware scans the computer for web browsers such as Chrome or Edge and looks for active WhatsApp accounts.

Instead of asking the user to scan a new QR code, the malware secretly clones the saved session data. It then opens a hidden browser window, bypasses bot detection, and sends phishing messages and the malware file directly to the victim’s contacts. Because the messages come from a trusted friend, new victims are highly likely to download the file.

Elastic Security Labs has uncovered that the second worm module focuses on email. It silently opens Microsoft Outlook in the background and uses Windows COM automation to take complete control of the victim’s email account.

The bot searches the address book and inbox to harvest contacts. It then drafts completely new phishing emails and sends them from the infected user’s actual email address. This technique easily bypasses standard email security filters because the emails originate from a legitimate, trusted source.

All of this malicious activity is managed using serverless cloud tools such as Cloudflare Workers. By using legitimate cloud services, the attackers can quickly change their servers and avoid being blocked by simple network defenses.

The hackers also host their malicious files on Cloudflare, making the download links look safe to the average user. Researchers note that this campaign is still in its early stages, suggesting that the threat actors are likely preparing to expand their targets.

To protect against TCLBANKER, organizations should look for unusual background processes spawned by Logitech applications.

Security teams must monitor for unauthorized browser profile cloning and watch for unusual spikes in outbound emails from Microsoft Outlook. Using advanced endpoint protection that detects unauthorized full-screen overlays is also essential to keeping systems safe from this evolving threat.

IoC

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules appeared first on Cyber Security News.

A sophisticated Brazilian banking trojan named TCLBANKER, deployed through a trojanized Logitech installer and capable of hijacking victims’ WhatsApp and Outlook accounts to spread itself to new targets. The campaign, tracked as REF3076, delivers TCLBANKER through a malicious MSI installer bundled inside a ZIP file. The installer abuses a signed Logitech application, Logi AI Prompt Builder, via […]

The post TCLBANKER Malware Leverages WhatsApp and Outlook Worm Features in Active Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Meta patched two WhatsApp flaws affecting iOS, Android, and Windows users, including bugs tied to risky files, links, and Reels previews.

The post New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch appeared first on TechRepublic.

Meta has published a new security advisory for messaging app WhatsApp, announcing patches for two vulnerabilities.

WhatsApp has fixed two security flaws that could be abused to interfere with how media and attachments are handled on your device. There is no evidence that either bug has been exploited in the wild.

These bugs don’t automatically infect devices, but they lower the barrier for social engineering and could be chained with other vulnerabilities for more serious attacks.

Malicious messages

The first issue, tracked as CVE‑2026‑23866, affects how WhatsApp processes AI‑generated “rich response messages” that embed Instagram Reels. On affected iOS and Android versions, incomplete validation means a specially crafted message could cause the app to load media from an attacker‑controlled URL. In some cases, this could trigger operating system‑level custom URL scheme handlers.

In other words: a booby‑trapped message could prompt your device to open content from an untrusted source.

How to update WhatsApp for Android

You can easily update WhatsApp from the Google Play Store.

1. Open the Google Play Store
2. Search for WhatsApp Messenger
3. Tap Update

Note: Updates may not be available immediately in all regions.

How to update WhatsApp on iOS

To update WhatsApp on iOS:

• Open the App Store
• Tap your profile icon
• Scroll to find WhatsApp and tap Update

If it’s not listed, search for WhatsApp to check if an “Update” button is available.

Misleading filenames

The second bug, CVE‑2026‑23863, affects WhatsApp for Windows before version 2.3000.1032164386.258709.

In this case, WhatsApp did not correctly handle filenames containing embedded NUL bytes. This could allow a file to appear as a harmless type in the interface while actually being treated as an executable when opened. That’s a classic recipe for social engineering: “click the PDF,” but get an .exe file.

How to update WhatsApp for Windows

You can find your WhatsApp for Windows version number by clicking on your profile picture and selecting Help and feedback.

If your version number is earlier than 2.3000.1032164386.258709, update via the Microsoft Store:

1. Click the Start menu and search for Microsoft Store to open it
2. Click Library located at the bottom-left corner
3. Find WhatsApp Desktop
4. Click Get Updates or Update

Once installed, restart the app to apply the changes.

Automatic updates on Windows

My WhatsApp was already up to date because I have automatic updates turned on. Here’s how to turn it on:

1. Click the Start menu and search for Microsoft Store to open it
2. Select Profile (your account picture) > Settings
3. Make sure App updates is toggled to On

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

WhatsApp has recently patched two notable security vulnerabilities that could have allowed attackers to execute malicious links and disguise dangerous files. The most alarming discovery involves a flaw in how WhatsApp processes Instagram Reels. This vulnerability allows remote threat actors to trigger arbitrary URLs on a victim’s device by exploiting unvalidated message elements. Meta’s latest […]

The post WhatsApp Security Flaw Enables Malicious URL Execution Through Instagram Reels appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

An FTC report says that Americans last year lost $2.1 billion in social media scams, such as shopping and investment schemes. Social media site have become the place where most of these scams start, and more than half of that money was stolen in scams began on Facebook, WhatsApp, and Instagram.

The post U.S. Consumers Lost $2.1 Billion in Social Media Scams in 2025, FTC Says appeared first on Security Boulevard.

A US agent claimed WhatsApp encryption is fake and Meta can access messages; the probe was abruptly shut, raising security concerns.

A US agent claimed WhatsApp encryption is fake, alleging Meta accesses all unencrypted messages, but Commerce Department abruptly shut the probe, leaving leaders questioning if consumer apps are safe for sensitive business decisions.

In early 2026, a remarkable exchange unfolded inside the U.S. Commerce Department that has since sparked debate across cybersecurity, privacy, and corporate governance circles. A special agent from the Bureau of Industry and Security (BIS) sent an email asserting something astonishing: Meta’s WhatsApp, despite its public claims of end-to-end encryption, allows the company to access and store all user messages, including texts, photos, audio, and video, in unencrypted form. Just months later, the investigation was abruptly terminated.

“After roughly 10 months of collecting documents and conducting interviews, the agent circulated a Jan. 16 email to more than a dozen officials across federal agencies outlining preliminary conclusions.” reported TechSpot. “According to records reviewed by Bloomberg and corroborated by recipients, the agent asserted that Meta’s systems allow access to message content in ways that conflict with how WhatsApp’s encryption has been publicly described.”

After a 10-month probe internally dubbed “Operation Sourced Encryption,” the BIS agent circulated a January 16 email to over a dozen federal officials.

“There is no limit to the type of WhatsApp message that can be viewed by Meta. Meta can and does view and store all the text messages, photographs, audio and video recordings in an unencrypted format.” reads the email the agent wrote.

The email also described a “tiered permissions system” in place since at least 2019, granting access not only to Meta employees but also to contractors and “a significant number of foreign/overseas workers in India.”

The email also suggested the conduct could involve “civil and criminal violations that span several federal jurisdictions,” though he did not specify which laws. Importantly, this was not a formal accusation, it was a preliminary conclusion from an internal investigation that would soon be scrubbed from existence.

However Shortly after the email circulated, senior leadership at BIS shut down the inquiry.

“The [agency] is not investigating WhatsApp or Meta for violations of export laws,” said a spokesperson for the agency, Lauren Weber Holley.

Meta strongly denied the claims.

“The claim that WhatsApp can access people’s encrypted communications is patently false.” said Meta spokesperson Andy Stone

Meta says that only chat participants can read or hear messages on WhatsApp—not even the company itself. It has also defended this stance in court, including a 2021 case against India’s traceability rules.

Not everyone agrees with the agent’s claims. Former Meta security chief Alex Stamos said they are “almost certainly false.” He noted that any backdoor would have to exist in widely inspected app code, making it easy for researchers to find. He also argued Meta wouldn’t share such powerful access with contractors.

“A widespread backdoor would be easily found by security researchers,” Stamos said. “Also, a backdoor in WhatsApp would be a massive signals intelligence tool. There’s no way Meta would provide that capability to Accenture contractors if they had it.” said Stamos.

Still, two individuals interviewed by the agent claimed broad access to WhatsApp messages while performing content moderation work under contract with Accenture, which did not respond to comment requests.

The investigation’s closure leaves key questions unanswered, including what evidence was found and whether WhatsApp’s encryption will be further examined, keeping uncertainty high.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

WhatsApp is currently developing an independent cloud backup system designed to give users more direct control over their chat histories.

This upcoming feature will allow users to store their backups securely on WhatsApp’s native servers.

The update aims to reduce reliance on third-party cloud services like Google Drive and Apple’s iCloud while enforcing strict cryptographic standards.

Solving the Storage Limit Problem

As users share more high-resolution media, WhatsApp chat backups frequently consume significant portions of personal cloud storage.

Currently, Android and iOS users must store their backups on their respective default cloud providers.

This setup forces users to share their limited storage space across emails, device backups, and heavy WhatsApp data files.

Once a user reaches their storage limit, they must either delete files or purchase additional space from Google or Apple.

To address this data bottleneck, WhatsApp is building a dual-provider system.

Users will soon have the flexibility to stick with their current third-party service or switch to WhatsApp’s dedicated backup platform.

Key details regarding the new storage ecosystem include:

• WhatsApp will offer a free tier with up to 2 GB of storage. However, it remains unclear whether this will be available to all users or reserved exclusively for WhatsApp Plus subscribers.
  
• Developers are considering a premium storage plan offering 50 GB of space for approximately $0.99.
  
• This premium tier provides an affordable alternative for users managing massive chat archives and media libraries.
  
• All pricing models and storage limits are preliminary and subject to change based on market testing.

Mandatory End-to-End Encryption

Security remains the central focus of this independent storage system. If a user selects WhatsApp’s native cloud for backups, end-to-end encryption becomes mandatory for all data stored in the cloud.

This ensures that chat histories remain completely inaccessible to unauthorized parties, threat actors, and even WhatsApp itself.

To make this encryption both highly secure and user-friendly, WhatsApp is integrating device-based authentication.

According to WABetaInfo, users will have three options to secure their backup data:

• Passkeys serve as the default method, allowing users to unlock backups using hardware-backed biometric scans, such as fingerprints or facial recognition.
  
• Traditional alphanumeric passwords remain available for users who prefer manual entry.
• A 64-digit encryption key offers a manual recovery option for advanced users wanting maximum cryptographic control.

Passkeys represent a major security upgrade for average users.

Because they are securely stored in a password manager and tied to trusted devices, they eliminate the risk of forgotten passwords while protecting against remote phishing attacks.

The WhatsApp Chat Backup Provider is currently under active development.

Engineers are rigorously testing the feature to ensure it integrates seamlessly with existing security frameworks.

Following internal validation, the feature will gradually roll out to select beta testers before receiving a wider public launch.

This capability marks a significant shift in how the platform handles user data, optimizing backup management while reinforcing mobile security.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Testing Own Cloud Backup Provider for Default End-to-End Encryption appeared first on Cyber Security News.

WhatsApp is actively developing an independent, first-party cloud backup service featuring mandatory end-to-end encryption. This upcoming feature aims to reduce users’ reliance on third-party storage providers such as Google Drive and Apple’s iCloud. By bringing backup storage in-house, WhatsApp gives users greater control over their data privacy and device storage limits. All chat histories hosted […]

The post WhatsApp Tests Encrypted Cloud Backup Service for Safer Message Storage appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Scammers dressed up like Catholic Charities and legitimate pro bone legal services on social media platforms are targeting immigrants and bilking them for money. Manhattan DA Alvin Bragg is pressing Meta to follow its own terms and shut them down. 

The post Manhattan DA Bragg Pushes Meta to Put a Stop to Immigration Scams  appeared first on Security Boulevard.

A surge of targeted cyberattacks was detected against local governments and municipal healthcare institutions particularly clinical and ambulance hospitals. The campaign has been attributed to threat cluster UAC-0247, known for advanced data theft, persistence, and lateral movement methods. The attack chain begins with well-crafted phishing emails that appear to discuss humanitarian aid proposals. These emails typically […]

The post UAC-0247 Hits Hospitals, Governments With Browser and WhatsApp Data Theft appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

WhatsApp is testing usernames that could let users chat without sharing phone numbers, adding a new privacy layer now rolling out to some beta users.

The post WhatsApp New Update Lets You Chat Without Sharing Your Phone Number appeared first on TechRepublic.

A list of topics we covered in the week of March 30 to April 5 of 2026

The post A week in security (March 30 – April 5) appeared first on Security Boulevard.

Last week on Malwarebytes Labs:

• That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords
• Blocking children from social media is a badly executed good idea
• Apple expands “DarkSword” patches to iOS 18.7.7
• Malwarebytes Privacy VPN receives full third-party audit
• Wikipedia’s AI agent row likely just the beginning of the bot-ocalypse
• WhatsApp on Windows users targeted in new campaign, warns Microsoft
• Why we’re still not doing April Fools’ Day
• Asking AI for personal advice is a bad idea, Stanford study shows
• Axios supply chain attack chops away at npm trust
• New macOS security feature will alert users about possible ClickFix attacks

Stay safe!

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

WhatsApp blocked a fake app by Italian firm SIO/Asigint that targeted 200 users with spyware, urging them to reinstall the official app.

WhatsApp has recently uncovered a malicious fake version of its app that targeted roughly 200 users, most of whom are in Italy. The platform confirmed that the unofficial client contained spyware and was developed by Italian firm Asigint, a subsidiary of SIO Spa, a company known for providing surveillance tools to law enforcement and government agencies.

“Our security team identified around 200 users, mostly in Italy, who we believe may have downloaded this unofficial and harmful client. We logged them out and alerted them to the privacy and security risks,” WhatsApp stated. “We believe this was a social engineering attempt targeting a limited number of users with the goal of inducing them to install harmful software impersonating WhatsApp, likely to gain access to their devices. Today, WhatsApp has taken action against Asigint, an Italian spyware company controlled by Sio Spa that created a fake version of WhatsApp. We believe the individuals behind this malicious client used social engineering techniques to trick people into downloading an unofficial and harmful app disguised as WhatsApp,” the Meta Group company said in a statement, adding that it intends to “send a formal legal notice to this spyware company to cease all harmful activity.”

The affected users were promptly logged out and notified of the potential risks to their privacy and security. WhatsApp advised them to remove the fake app and reinstall the official version, emphasizing that the incident did not involve a vulnerability in WhatsApp itself; the end-to-end encryption of legitimate apps remains intact.

According to WhatsApp, the attackers relied on social engineering techniques, tricking users into installing the counterfeit app, which was not available on official digital stores like the Apple App Store or Google Play. The approach suggests a highly targeted campaign, likely part of a broader investigation, rather than a mass-distribution attack.

“It is important to clarify that this was not a vulnerability in WhatsApp; end-to-end encryption continues to protect the communications of people using the official WhatsApp apps,” the Meta Group platform stated, as reported by the Italian press agency ANSA. “We believe the individuals behind this malicious client used social engineering techniques to convince people to download an unofficial and harmful app, passing it off as WhatsApp, likely to gain access to their devices. We intend to send a formal legal notice to this spyware company to cease any harmful activity.”

SIO, through Asigint, has a long history in the development of government-grade spyware. In a 2025 TechCrunch report, SIO was linked to Spyrtacus, a series of malicious Android apps that disguised themselves as WhatsApp and other popular applications. Spyrtacus allowed attackers to extract sensitive data from devices, including messages, contact lists, and call logs, as well as monitor users through microphones and cameras.

A WhatsApp spokesperson explained that the company plans to issue a formal legal demand to Asigint, requesting that the company cease all malicious activities. The platform stressed that holding spyware developers accountable under law is a crucial part of protecting users from targeted attacks. WhatsApp has previously achieved a precedent-setting outcome by holding a commercial spyware firm responsible under U.S. law for attempting to spy on users’ mobile devices.

The incident highlights a broader trend in digital surveillance: using fake apps as a tool for spying. Cybersecurity experts note that such tactics are common in operations targeting individuals for intelligence or law enforcement purposes.

“The fake WhatsApp campaign demonstrates the sophistication of modern social engineering techniques, where attackers exploit users’ trust in popular software to gain access to sensitive devices,” I told ANSA.

SIO describes itself as a team of software developers and architects leveraging advanced technologies to redefine human-computer interaction. According to its website, the company collaborates closely with law enforcement, government organizations, and intelligence agencies, boasting more than 30 years of experience in the sector. The fake WhatsApp case underlines how firms that operate in the intelligence space can inadvertently, or deliberately, target private users in ways that raise ethical and legal questions.

While the full scope of the attack remains unclear, the proactive response by WhatsApp underscores the importance of vigilance. Users are strongly encouraged to only download official applications and remain alert to suspicious links or prompts, especially when dealing with messaging or banking apps.

This case also demonstrates the evolving challenges of digital security in Italy and globally, where spyware developers increasingly use counterfeit applications to bypass traditional defenses and exploit user trust. Even though most affected individuals were Italian, the lessons extend to anyone using widely trusted apps. Awareness and timely updates are essential defenses against such targeted threats.

In conclusion, the WhatsApp-Asigint incident is a reminder of the ongoing arms race between privacy-focused platforms and surveillance-focused actors. While end-to-end encryption protects users of legitimate apps, attackers will continue to explore indirect methods, such as fake apps, to circumvent safeguards. Vigilance, legal accountability, and prompt user education remain the most effective tools for mitigating these sophisticated threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp)

In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.

Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.

Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.

In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.

It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.

The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.

So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.

How to protect your accounts

As the PSA puts it:

“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”

This calls asks for basic security measures:

• Treat unsolicited messages from “Support” inside apps as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask you, in a chat message, to send back verification codes, PINs, or passwords.​ If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
• Never share SMS verification codes or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Giving them away is like handing over the keys to your account. Consider anyone asking for them to be a scammer.
• Be careful what you discuss and with whom. Both the Dutch and US advisories remind us that even with end‑to‑end encryption, some conversations are too sensitive for commercial chat apps.
• Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
• Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

What to do if you think your account was hijacked

If you suspect an attacker has taken over your messaging account:

1. Try to re‑register your number in the app immediately to kick out other devices.
2. Revoke all linked devices and change any app‑specific PINs or lock codes.
3. Warn your contacts that someone may have impersonated you and ask them to treat recent messages with caution.
4. Review recent conversations for signs of data theft (for example, shared IDs, documents, or passwords that should now be considered exposed).
5. Report the incident to the app provider and, where appropriate, to national reporting centers such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov or the relevant authority in your country.​

The sooner you act, the smaller the window in which attackers can exploit your account.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Russia-linked actors target WhatsApp and Signal accounts of officials and journalists via phishing, gaining access to messages and contacts.

Threat actors linked to Russian Intelligence Services are running phishing campaigns to hijack high-value accounts on messaging apps like WhatsApp and Signal, the FBI warns.

“The FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.” FBI Director Kash Patel wrote on X. “The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.”

Targets include government officials, military personnel, politicians, and journalists. The attackers do not break app encryption but instead use phishing to gain account access. The attacks have already compromised thousands of accounts worldwide. Once inside, attackers can read messages, access contacts, impersonate victims, and launch further phishing using trusted identities.

Attackers especially target Signal but use similar tactics across other platforms. Users who strengthen their security and stay alert to social engineering attempts can reduce the risk and limit the impact of these attacks.

Russia-linked actors pose as messaging app support accounts and send phishing messages tailored to trick targets. They push users to click links or share verification codes or PINs. When victims comply, attackers gain access by linking their own device or taking over the account entirely. As the campaign evolves, they may also deploy malware to further compromise victims.

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker’s device as a linked device or through a full account takeover.” reads a joint Public Service Announcement (PSA) published by CISA and the Federal Bureau of Investigation. “As the campaign evolves, actors may use additional techniques, such as malware to infect the victim.”

Phishing remains a simple but highly effective way to compromise accounts, bypassing protections like end-to-end encryption by targeting users directly. Attackers trick victims into sharing codes or clicking malicious links, gaining full account access.

Users should stay alert: pause if something feels off, never share PINs or 2FA codes, and treat unexpected messages with suspicion, even from known contacts. Always check links before clicking, verify group members, and use built-in security features.

Report suspicious activity quickly to security teams or authorities. Remember, legitimate app support will never ask for codes or send links to “verify” accounts, always use official channels.

Recently, Dutch intelligence agencies (MIVD and AIVD) also warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stressed that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp, Signal)