Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have issued an urgent joint advisory regarding a malicious cyber campaign currently targeting high-ranking officials. The operation primarily focuses on individuals in politics, the military, and diplomacy, as well as investigative journalists throughout Germany and Europe. According to the authorities, this campaign is likely the work of a state-sponsored threat actor utilizing the Signal messaging app to conduct sophisticated phishing attacks. The security agencies emphasized that unauthorized access to these messenger accounts does not only jeopardize confidential private communications but also creates a significant risk of compromising entire organizational networks.
The campaign is particularly notable because it does not rely on traditional malware distribution or the exploitation of technical software vulnerabilities. Instead, the attackers weaponize the legitimate features of the Signal platform to gain covert access to victim chats and contact lists. In one primary attack method, threat actors masquerade as official support entities, using names like Signal Support or Signal Security ChatBot to initiate contact. They pressure targets into providing a security PIN or a verification code received via SMS by claiming the user faces imminent data loss. If a target complies, the attackers can register the account on their own device, effectively gaining full control over the profile, settings, and contact information.
A second, more subtle infection sequence exploits the device linking feature of the app. In this scenario, attackers trick victims into scanning a QR code under false pretenses, which silently links the attacker’s device to the legitimate account. This allows the adversaries to monitor messages and contact lists for at least 45 days without the user realizing their privacy has been breached. While the current focus remains on Signal, BSI and BfV warned that similar tactics could be extended to WhatsApp due to its comparable device linking and two-step verification features. Similar campaigns, such as the GhostPairing activity detailed by Gen Digital in late 2025, have already demonstrated how numeric codes can be used to seize control of messaging accounts for impersonation and fraud.
This warning coincides with broader regional reports of state-aligned cyber activity. The Norwegian government recently accused groups such as Salt Typhoon of infiltrating organizations by exploiting vulnerable network devices. Furthermore, CERT Polska has identified a Russian hacking group known as Static Tundra as the likely party behind coordinated attacks on renewable energy farms and manufacturing plants. To defend against these evolving threats, security experts advise users to never share PINs via text and to enable the Registration Lock feature. Additionally, it is critical to periodically review all linked devices and immediately remove any that are unrecognized. These collective findings highlight a growing trend where psychological manipulation is used to bypass traditional encryption and security protocols.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
