The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a new advisory warning that multiple threat groups are conducting active spyware operations aimed at users of secure messaging platforms, particularly Signal and WhatsApp. The agency said attackers are deploying commercial spyware and remote access trojans to breach mobile devices through targeted social engineering and advanced exploitation techniques.
According to CISA, the attackers use these tools to gain unauthorized access to messaging applications, allowing them to install additional malware capable of extracting data and maintaining long term control of compromised devices.
Recent Campaigns Identified
CISA highlighted several espionage operations uncovered this year. These include activities by Russia aligned groups targeting Signal through abuse of the platform’s linked devices feature. The agency also referenced ProSpy and ToSpy spyware campaigns distributed through fake Signal and ToTok apps in the United Arab Emirates.
Another operation, known as ClayRat, relied on Telegram channels and phishing pages to impersonate WhatsApp, Google Photos, TikTok, and YouTube, enabling attackers to infect Android users in Russia.
CISA additionally cited a sophisticated campaign that likely combined two vulnerabilities in iOS and WhatsApp, CVE-2025-43300 and CVE-2025-55177, which enabled the targeting of fewer than 200 WhatsApp users. A separate attack used Samsung’s CVE-2025-21042 vulnerability to deliver LANDFALL spyware to Galaxy devices in the Middle East.
Target Profiles
The agency stated that these operations are primarily aimed at high value individuals. Targets include senior government and military officials, political leaders, journalists, and members of civil society in the United States, Europe, and the Middle East.
Attack Techniques
CISA reported that attackers are using several methods to compromise devices. These include QR code based device linking, zero click exploits, and spoofed versions of popular messaging apps.
CISA Recommendations
CISA urged individuals at elevated risk to follow enhanced mobile security practices. These include the use of end to end encrypted communication, FIDO based authentication, avoidance of SMS based multi factor authentication, and the use of password managers. The agency also advised users to set a telecom provider PIN, maintain regular software updates, and avoid personal VPN services.
For iPhone owners, CISA recommended enabling Lockdown Mode, activating iCloud Private Relay, and limiting sensitive app permissions. For Android users, the agency advised selecting devices from manufacturers with strong security reputations, ensuring Google Play Protect is active, enabling Enhanced Protection in Chrome, and reviewing app permissions regularly.
