CISA warns that threat actors are actively using commercial spyware and RATs to target users of mobile messaging apps WhatsApp and Signal.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of threat actors using commercial spyware and remote access trojans (RATs) to target users of popular instant messaging applications, including WhatsApp and Signal.
“CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).” reads the advisory published by CISA. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”
Attackers attempt to infect victims through phishing messages, malicious QR codes, zero-click exploits, and impersonation of apps like Signal and WhatsApp. Targeting appears opportunistic but often focuses on high-value figures (e.g. Government, military, and political officials) and members of civil society across the U.S., Middle East, and Europe.
CISA urges users to consult its updated Mobile Communications Best Practices and the Mitigating Cyber Threats with Limited Resources guidance to protect messaging apps and reduce spyware risks.
CISA highlighted several recent campaigns, including Russia-aligned actors abusing Signal’s linked-device feature, Android spyware like ProSpy and ToSpy impersonating Signal and ToTok in the UAE, and ClayRat spreading via Telegram and fake WhatsApp/Google/TikTok apps in Russia. Other attacks chained iOS and WhatsApp flaws (CVE-2025-43300, CVE-2025-55177) against under 200 users, and a Samsung bug (CVE-2025-21042) to deploy LANDFALL spyware to Galaxy devices in the Middle East.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, commercial spyware)