The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted the public to ongoing active spyware campaigns that specifically target users of popular mobile messaging applications such as Signal and WhatsApp. These campaigns are conducted by sophisticated threat actors, including Russia-aligned groups, who employ commercial spyware and remote access trojans (RATs) to gain unauthorized access to victims' messaging apps and mobile devices. The attackers use a variety of advanced techniques including social engineering, zero-click exploits, device-linking QR codes, and distribution of spoofed versions of legitimate apps to compromise targets. Notable campaigns include ProSpy and ToSpy targeting Android users in the UAE by impersonating apps like Signal and ToTok, and ClayRat targeting Russian users via Telegram channels and phishing pages mimicking WhatsApp, Google Photos, TikTok, and YouTube. Additionally, a targeted campaign exploited chained zero-day vulnerabilities in iOS and WhatsApp (CVE-2025-43300 and CVE-2025-55177) to compromise fewer than 200 WhatsApp users. Another campaign exploited a Samsung security flaw (CVE-2025-21042) to deploy the LANDFALL spyware on Galaxy devices in the Middle East. The attackers primarily focus on high-value individuals such as current and former government, military, and political officials, as well as civil society organizations, across the US, Middle East, and Europe. The spyware enables persistent access, data exfiltration, and deployment of additional malicious payloads, posing significant risks to confidentiality and device integrity. CISA advises affected individuals to adopt robust security measures including exclusive use of end-to-end encrypted communications, phishing-resistant authentication methods like FIDO, avoidance of SMS-based multi-factor authentication, use of password managers, securing mobile accounts with provider PINs, regular software updates, and leveraging advanced security features on iOS and Android devices. The campaigns demonstrate a high level of operational sophistication and targeted focus, leveraging both technical exploits and social engineering to achieve compromise.

For European organizations, the impact of these spyware campaigns is significant, particularly for government agencies, political entities, military personnel, and civil society organizations that are primary targets. Compromise of messaging apps like Signal and WhatsApp can lead to unauthorized access to sensitive communications, enabling espionage, data theft, and potential manipulation of information. The use of zero-click exploits and spoofed apps increases the likelihood of successful compromise without user interaction, raising the risk of widespread infiltration of high-value targets. Persistent access granted by spyware can facilitate long-term surveillance and data exfiltration, undermining confidentiality, integrity, and availability of critical information. The targeting of mobile devices, which are often used for secure communications and multi-factor authentication, can also weaken overall organizational security posture. European organizations may face reputational damage, operational disruption, and potential legal and regulatory consequences due to data breaches. The geopolitical context, including tensions involving Russia and Middle Eastern states, further elevates the risk for European countries with strategic political and military interests. The campaigns' focus on high-value individuals means that even a single successful compromise can have outsized consequences for national security and organizational trust.

European organizations and high-value individuals should implement a multi-layered security approach tailored to the threat specifics: 1) Enforce exclusive use of end-to-end encrypted messaging apps and verify linked devices regularly to detect unauthorized access. 2) Deploy phishing-resistant authentication methods such as FIDO2 security keys and avoid SMS-based MFA, which is vulnerable to SIM swapping and interception. 3) Use reputable password managers to generate and store complex passwords, reducing credential reuse risks. 4) Set and enforce telecommunications provider PINs to protect mobile accounts from unauthorized porting or SIM swaps. 5) Maintain up-to-date software and firmware on all mobile devices, prioritizing patches for known vulnerabilities like CVE-2025-43300, CVE-2025-55177, and CVE-2025-21042. 6) Encourage use of latest hardware models with enhanced security features, as older devices may lack protections against advanced exploits. 7) On iOS devices, enable Lockdown Mode and iCloud Private Relay, and audit app permissions to restrict access to sensitive data. 8) On Android devices, select manufacturers with strong security reputations, enable Google Play Protect, use Enhanced Protection in Chrome, and limit app permissions strictly. 9) Avoid use of personal VPNs that may introduce additional attack surfaces or data leakage risks. 10) Conduct regular security awareness training focused on recognizing social engineering and phishing attempts related to messaging apps. 11) Implement monitoring and incident response capabilities to detect anomalous device-linking activities and unauthorized app installations. These targeted measures go beyond generic advice by addressing specific tactics and vulnerabilities exploited in these campaigns.