This article discusses a phishing campaign that exploits Signal’s linked devices feature to compromise user accounts. By employing malicious QR codes masked as legitimate resources, attackers can connect victims’ accounts to their own instances, allowing continuous eavesdropping on secure conversations. UNC5792, a suspected Russian espionage group, has been identified as leveraging this technique to gain unauthorized access to Signal accounts. Affected: Signal users, Ukrainian military, Russian military forces
Keypoints :
- Phishing campaigns are using Signal’s legitimate “linked devices” feature to compromise accounts.
- Attackers craft malicious QR codes that link victim accounts to actor-controlled Signal instances.
- Linked accounts allow real-time eavesdropping without full device compromise.
- Malicious QR codes are often disguised as legitimate Signal resources.
- APT44 has conducted close-access operations using these techniques.
- UNC5792 has modified Signal group invites to direct victims to malicious URLs.
- Fake group invites release JavaScript code to trigger device linking without user knowledge.
MITRE Techniques :
- T1193: Spear Phishing Link – Phishing emails contain links to malicious QR codes that link Signal accounts to attacker-controlled infrastructure.
- T1195: Supply Chain Compromise – Use of modified Signal group invite pages to exploit trusted communications.
- T1071: Application Layer Protocol – Communication through Signal’s application layer for eavesdropping.
Indicator of Compromise :
- URI sgnl://linkdevice?uuid=
- Malicious URL (actor-controlled infrastructure for Signal group invites)
Full Story: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/