Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a critical alert regarding a new wave of spear-phishing attacks. These campaigns target military personnel and defense industry employees by exploiting compromised Signal messenger accounts.
The attackers use trusted Signal contacts to send malicious files, making it more likely for recipients to engage with the content. This new campaign began in March 2025 and involves sending archives disguised as meeting summaries or military briefings.
Malware Delivered via Signal Attachments
Victims receive Signal messages containing an archive that includes a PDF and an executable file. The PDF acts as a decoy, while the executable launches the DarkTortilla malware. This loader decrypts and activates the Dark Crystal Remote Access Trojan (DCRAT), granting attackers full control over infected devices.
CERT-UA is tracking this activity under the code UAC-0200. Similar operations have occurred since June 2024, but attackers recently updated their lures to focus on more urgent and relevant military topics.
Attack Themes Now Focus on UAVs and Military Tech
Since February 2025, the phishing messages have shifted. Attackers now reference subjects like unmanned aerial vehicles (UAVs), electronic warfare systems, and other defense technologies. These realistic lures make the attacks more convincing, increasing the likelihood of success.
The rise in attacks comes amid broader concerns about Russian cyber espionage. In February, Google’s Threat Intelligence Group revealed that Russian threat actors were misusing Signal’s “Linked Devices” feature to hijack targeted accounts.
Signal Security Tips for At-Risk Users
Users in sensitive roles or regions should take extra precautions. CERT-UA recommends turning off automatic downloads for all Signal attachments. Users should also verify the source of any file before opening it—even if it appears to come from a known contact.
Additionally, review your linked devices list in the Signal app to detect unauthorized access. Update your Signal app on all platforms and enable two-factor authentication for better account protection.
