The Cybersecurity and Infrastructure Security Agency has issued an alert warning that commercial spyware operators are targeting messaging platforms to deploy zero-click exploits on personal devices. The agency reports that attackers have focused on high-value individuals, including government officials, civil society members and senior figures in the private sector. According to the advisory, encrypted messaging programs are being used as delivery channels because attackers can manipulate linked-device features and account recovery tools.
CISA stated that recent activity involved WhatsApp, Signal and Telegram. According to the advisory, threat actors are using zero-click vulnerabilities and social engineering techniques that allow them to compromise devices without any interaction from the victim. Once inside a device, operators can deploy additional payloads to expand access, gather data or monitor communications. The agency noted that these operations have been observed across multiple regions and reflect ongoing interest in mobile-targeted espionage.
Techniques and identified targets
The advisory notes that many victims hold roles connected to diplomacy, defence or political decision-making. Researchers at Google’s Threat Intelligence Group and Palo Alto’s Unit 42 identified campaigns in which Russian-linked actors used Signal’s linked device feature to mirror accounts and deploy spyware. Attackers have also used phishing messages and malicious QR codes to connect target devices to attacker infrastructure. These methods allow operators to establish control through features that were designed to provide user convenience.
CISA reported that attackers sometimes impersonate legitimate messaging services to convince victims to approve fraudulent device links. Other techniques include exploiting account-recovery flows to insert attacker-controlled information. After gaining access, operators may observe private exchanges, extract credentials or install persistence tools that remain active across device restarts. The advisory explains that these tactics reduce the likelihood of detection and increase the duration of unauthorised access.
CISA warned that encrypted messaging programs do not eliminate exposure when attackers exploit features such as device linking or recovery mechanisms. High-value targets face heightened risk because their personal devices often contain sensitive material connected to professional duties. The agency observed that messaging platforms have become strategic points of interest for intrusions because attackers view private communications as valuable sources of intelligence.
The advisory recommends that users verify all linked devices within their messaging programs and avoid scanning QR codes or approving connection requests from unknown sources. CISA directed users to guidance included in the Mobile Communications Best Practices Guide for high-value individuals and an additional resource for civil society groups that operate with limited resources. Users are encouraged to enable the strongest available authentication options, review account activity and remove unrecognised device associations.
Security analysts said the shift toward zero-click methods indicates that attackers are investing in techniques that bypass common protections. According to the advisory, individuals who handle sensitive information should consider personal device security as an essential part of their broader operational risk strategy. Messaging platforms continue to attract interest from threat actors who seek access to private conversations, contact lists and authentication credentials.