CISA Warns of Active Spyware Campaigns Hijacking Signal and WhatsApp Users

CISA Warns of Active Spyware Campaigns Hijacking Signal and WhatsApp Users

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on November 25, 2025, detailing active campaigns leveraging commercial spyware and Remote Access Trojans (RATs) to compromise users of mobile messaging apps. These campaigns exploit vulnerabilities and social engineering tactics, impacting high-profile targets across multiple regions.

Why This Matters

Current threat models often assume user diligence, but sophisticated actors are circumventing these safeguards with zero-click exploits and convincing social engineering. The potential for compromise of high-ranking officials and sensitive data represents a significant national security risk, with potential costs reaching millions in remediation and damage control.

Key Insights

• CVE-2025-43300 & CVE-2025-55177: Exploited in targeted WhatsApp attacks, affecting fewer than 200 users.
• Linked Device Feature Abuse: Russia-aligned actors exploit Signal’s “linked devices” to hijack accounts.
• ProSpy & ToSpy: Android spyware campaigns impersonating legitimate apps to gain persistent access.

Working Example

(No code provided in the source text)

Practical Applications

• Use Case: Government officials using Signal for sensitive communications are prime targets for account hijacking via linked devices.
• Pitfall: Relying solely on SMS-based multi-factor authentication (MFA) leaves users vulnerable to SIM swapping attacks, a common initial access vector.

References:

• https://thehackernews.com/2025/11/cisa-warns-of-active-spyware-campaigns.html