The U.S. Cybersecurity and Infrastructure Security Agency issued an unusually stark warning Monday about a series of active, highly tailored spyware campaigns aimed at compromising users of mobile messaging platforms such as Signal and WhatsApp. The agency said the operations, carried out by sophisticated state-aligned and financially motivated actors, have broadened in scope this year and increasingly target high-ranking government, military and political figures across multiple continents.
The advisory marks the first time CISA has publicly grouped together a set of campaigns that use commercial spyware, remote-access trojans and zero-click exploitation chains to seize control of encrypted communications—often without the victim realizing anything is amiss.
A New Arsenal for Account Hijacking
“These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” the agency wrote, adding that the malware is frequently deployed as a beachhead for additional payloads capable of exfiltrating data or gaining persistent control of the underlying device.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
Among the campaigns highlighted:
-
Linked-device abuse on Signal, where multiple Russia-aligned groups exploited the platform’s legitimate device-linking feature to silently take over accounts.
-
ProSpy and ToSpy, Android malware families masquerading as Signal, ToTok and other communication apps to target individuals in the United Arab Emirates.
-
ClayRat, a wide-reaching Android campaign in Russia that spread through Telegram channels and phishing pages spoofing WhatsApp, Google Photos, TikTok and YouTube.
-
A targeted WhatsApp campaign that likely chained two recently disclosed zero-day vulnerabilities—CVE-2025-43300 and CVE-2025-55177—affecting fewer than 200 users.
-
LANDFALL, spyware deployed to Samsung Galaxy devices in the Middle East via exploitation of CVE-2025-21042.
The range of exploits suggests attackers are actively adapting to platform defenses, blending social engineering and technical vulnerabilities to bypass encryption safeguards.
High-Value Targets in the Crosshairs
CISA’s alert notes that the activity disproportionately affects “high-value individuals,” including current and former government officials, military officers, political actors and civil-society leaders in the U.S., Europe and the Middle East.
Analysts say such targeting aims to erode the privacy guarantees of apps that rely on end-to-end encryption—platforms increasingly used for diplomatic, political and journalistic communication. “This is not bulk surveillance,” one senior U.S. official said. “These are precision operations designed to compromise people at the center of geopolitical decision-making.”
Spoofed Apps, QR Codes and Zero-Click Exploits
The campaigns deploy a wide array of attack methods. Some rely on QR codes used for linking devices, tricking users into granting access. Others bundle spyware inside convincingly spoofed versions of common apps. More technically sophisticated attacks leverage previously unknown iOS and Android vulnerabilities to compromise devices with no user interaction at all.
Experts warn that the blending of commercial spyware, nation-state techniques and cross-platform spoofing means traditional digital hygiene measures may not be enough for those at heightened risk.
CISA’s Playbook for High-Risk Users
In its guidance, CISA urges high-value individuals to adopt a hardened security posture, including:
-
Using only end-to-end encrypted communications
-
Enabling FIDO-based, phishing-resistant authentication
-
Avoiding SMS-based multi-factor authentication
-
Relying on password managers
-
Setting telecom provider PINs to protect mobile numbers
-
Keeping devices and apps updated
-
Using only official app stores
-
Avoiding personal VPNs, which can increase risk of traffic manipulation
-
Enabling Lockdown Mode and iCloud Private Relay on iPhones
-
Using Android devices from manufacturers with strong security records
-
Enabling Google Play Protect and Enhanced Safe Browsing
-
Regularly auditing app permissions
The agency also recommends upgrading to the newest available hardware, noting that newer devices typically receive more frequent and robust security updates.
A Global Escalation in Mobile Surveillance
The campaigns underscore a shift in global cyber espionage toward mobile ecosystems, where messaging apps have become central to professional, political and personal communication. As platforms expand encryption, attackers appear focused on compromising the endpoints where messages originate—phones, tablets and linked devices.
With multiple nation-state-aligned campaigns now discovered within months of each other, U.S. officials said the alert is intended not only as a warning but as a call for resilience. “We are seeing a sustained escalation in efforts to undermine encrypted communications,” one official said. “High-risk users must assume they are targets and act accordingly.”
