Russian threat actors UNC5792 and UNC4221 have been identified as key players in targeting Signal users, employing sophisticated phishing techniques to compromise accounts:

• UNC5792 (partially overlapping with UAC-0195) creates modified Signal group invites hosted on actor-controlled domains, replacing legitimate redirection code with malicious URIs to link victims' accounts to attacker-controlled devices12.

• UNC4221 (tracked as UAC-0185) targets Ukrainian military personnel using a custom phishing kit that mimics the Kropyva artillery guidance application. Their tactics include embedding malicious QR codes in Kropyva-themed phishing pages and deploying a JavaScript payload called PINPOINT to collect user information and geolocation data12.

These groups demonstrate the evolving threat landscape, where secure messaging apps are increasingly targeted to gain access to sensitive military and government communications, particularly in the context of the ongoing conflict in Ukraine3.

Russian threat actors have devised sophisticated methods to exploit Signal's device-linking feature using malicious QR codes. These codes are often disguised as legitimate Signal resources, such as group invites or device pairing instructions, or embedded in phishing pages mimicking specialized applications used by targeted individuals12. When scanned, these QR codes link the victim's Signal account to an attacker-controlled device, allowing real-time interception of messages without compromising the victim's device34.

The exploitation techniques vary based on the target. For broader campaigns, attackers may use fake group invites or security alerts, while targeted attacks might involve phishing pages tailored to specific interests, such as military applications25. In some instances, Russian military forces have even exploited devices captured on the battlefield to compromise Signal accounts36. This method of attack is particularly concerning due to its low-signature nature, making it difficult to detect and potentially allowing compromises to go unnoticed for extended periods7.

Signal's "Linked Devices" feature, designed to allow users to access their accounts on multiple devices, has become a target for Russian threat actors. Attackers exploit this functionality by creating malicious QR codes that, when scanned, link the victim's Signal account to a device controlled by the hacker12. This technique enables real-time interception of messages without compromising the target's device or breaking Signal's encryption3.

The vulnerability has been exploited in various ways:

• Disguising malicious QR codes as legitimate group invites or security alerts14

• Embedding fake QR codes in phishing pages mimicking specialized military applications3

• Modifying legitimate Signal group invitation pages to redirect users to malicious URLs1

• Exploiting devices captured on the battlefield to access Signal accounts1

Google's Threat Intelligence Group warns that these tactics are likely to proliferate beyond the Ukrainian conflict, potentially affecting users globally and extending to other messaging platforms56.