TL-2026-0111 HIGH 2026-02-22 Campaign Report

Signal Messenger Hijacking — APT44/Sandworm QR Code Phishing and WAVESIGN Exfiltration

Threadlinqs Intelligence 7 min
signal-hijackingqr-code-phishingapt44sandwormwavesigninfamous-chiselturlaunc5792unc4221russia-espionage

Threat ID: TL-2026-0111 | Severity: HIGH | Status: ACTIVE

Actors: APT44/Sandworm, UNC5792, UNC4221, Turla, UNC1151 | Nation: Russia, Belarus | Motivation: ESPIONAGE

MITRE Techniques: 28 | Detections: 9 | IOCs: 13+

QR code. One scan. Account hijacked.

Five Russia-aligned threat groups have converged on a single objective: compromising Signal Messenger accounts used by Ukrainian military personnel, journalists, and activists. The campaigns abuse Signal's legitimate QR code-based Linked Devices feature to silently mirror victim accounts to attacker-controlled instances, enabling real-time message interception without endpoint malware. No implant required. Google Threat Intelligence Group (GTIG) researcher Dan Black published the definitive account in February 2025, warning that these techniques will spread well beyond the Ukraine conflict.

Signal — the app millions trust for secure messaging — is being weaponized by Russia's most capable military hackers. Below: the full attack chain across all five actor clusters, WAVESIGN exfiltration breakdown, and 9 production-ready detection rules.

CERT-UA advisory on UAC-0185 phishing operations targeting Ukrainian defense sector personnel via weaponized Signal messages and linked device exploitation. CERT-UA advisory on UAC-0185 phishing operations targeting Ukrainian defense sector personnel via weaponized Signal messages and linked device exploitation.

Executive Summary

Technical Analysis

The Linked Devices Blind Spot

Signal's Linked Devices feature allows users to pair a secondary device (desktop or tablet) by scanning a QR code. The protocol generates a sgnl://linkdevice?uuid= URI that, when invoked, binds the new device to the account. Once linked, all messages synchronize to both the primary device and the attacker's instance in real-time.

The critical insight: this produces no endpoint compromise indicators. No malware. No process injection. No file system artifact. The compromise lives entirely within Signal's legitimate infrastructure — traditional EDR and endpoint monitoring are completely blind to it. What caught our attention was how elegant this is: the attacker rides on top of a feature, not a vulnerability.

Actor-Specific Tradecraft

UNC5792 modified legitimate Signal group invite pages hosted on signal-groups[.]tech, replacing the standard sgnl://signal.group/ JavaScript redirect with a malicious sgnl://linkdevice?uuid= URI. Victims expecting to join a group instead link their account to an attacker device.

UNC4221 built a dedicated phishing kit mimicking the Kropyva artillery guidance application used by Ukrainian military. The kit embeds malicious QR codes within fake Kropyva pages hosted on teneta.add-group[.]site and deploys PINPOINT, a JavaScript payload that harvests victim geolocation via the browser's GeoLocation API — combining message interception with physical position tracking.

APT44/Sandworm (GRU Unit 74455) operates through both remote and close-access vectors. The remote path uses WAVESIGN, a Windows Batch script that queries Signal's SQLite database via sqlcipher, decrypts messages, computes deltas with sqldiff, and exfiltrates via Rclone to cloud storage. The close-access path involves battlefield exploitation of captured Ukrainian devices.

Turla (FSB Center 16) deploys a lightweight PowerShell script targeting Signal Desktop, staging config.json and db.sqlite from %APPDATA%\Roaming\Signal\, compressing to ZIP, and copying to a network share for exfiltration.

UNC1151 (Belarus-linked) uses Robocopy to stage the entire Signal Desktop directory — messages and attachments — to C:\Users\Public\data\signa for later pickup. Low-tech but effective. Grab everything, sort it later.

Attack Chain

  1. Initial Access — Victim receives modified Signal group invite link (UNC5792) or Kropyva-themed phishing page (UNC4221) containing malicious QR code
  2. Credential Theft — Scanning the QR code triggers sgnl://linkdevice?uuid= URI, silently linking victim's Signal account to attacker device (T1528)
  3. Persistence — Linked device persists across sessions; all future messages delivered to both victim and attacker (T1098.005)
  4. Collection — Real-time message interception (linked device path) or direct database theft via WAVESIGN/PowerShell/Robocopy (T1005, T1213)
  5. Exfiltration — Rclone to cloud storage (APT44), ZIP to network share (Turla), staged directory for later pickup (UNC1151) (T1567.002, T1074.001)
CERT-UA advisory on UAC-0195 campaign targeting Signal accounts through crafted QR codes and malicious group invitations linked to Russian intelligence. CERT-UA advisory on UAC-0195 campaign targeting Signal accounts through crafted QR codes and malicious group invitations linked to Russian intelligence.

Threat Actor Profiles

APT44/Sandworm is GRU's Main Centre for Special Technologies (GTsST), Unit 74455. These are the operators behind NotPetya, Olympic Destroyer, and multiple Ukrainian power grid attacks. Six officers were indicted by the US DOJ in October 2020. Signal targeting represents their battlefield cyber-intelligence capability — pulling messages straight off captured phones.

Turla operates under FSB Center 16. Known for the Snake malware network (disrupted by DOJ in May 2023) and decades of espionage operations against NATO governments. Their Signal targeting uses minimal tooling — a single PowerShell script. Classic Turla: living off the land, quiet, and effective.

UNC5792 and UNC4221 are tracked by CERT-UA as UAC-0195 and UAC-0185 respectively. Both focus specifically on Ukrainian military communications interception, with UNC4221 distinguished by its Kropyva artillery app lures and PINPOINT geolocation collection.

UNC1151 is Belarus-linked, assessed as supporting Russian intelligence objectives. Their Robocopy-based approach is the least sophisticated but operationally effective.

Detection

The convergence of five actors on Signal creates a broad detection surface. The key principle: monitor for non-Signal processes accessing Signal Desktop's database and configuration files. Our analysis found this single detection philosophy covers all four Windows-based actor techniques in one shot.

Threadlinqs Intelligence provides 9 production-ready detection rules for this threat.

Splunk SPL

This detection targets APT44/Sandworm's WAVESIGN toolchain — sqlcipher.exe and Rclone staged in the distinctive ProgramData\Signal\Storage\ path.

SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security")
(process_name="sqlcipher.exe" OR process_name="rc.exe" OR process_name="rclone.exe"
 OR process_path="\\ProgramData\\Signal\\Storage\\")
| eval threat_tool=case(
    process_name="sqlcipher.exe" AND process_path LIKE "%ProgramData%Signal%", "WAVESIGN_sqlcipher",
    process_name IN ("rc.exe","rclone.exe") AND (command_line LIKE "%Signal%" OR parent_process_path LIKE "%Signal%"), "WAVESIGN_rclone",
    1=1, "unknown"
)
| where threat_tool!="unknown"
| stats count earliest(_time) as first_seen latest(_time) as last_seen by host, user, process_name, process_path, threat_tool
| sort -count
Catching Turla's PowerShell staging and UNC1151's Robocopy exfil — both dump Signal data to public or shared directories. 
SPLindex= sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security")
((process_name="robocopy.exe" command_line="Signal" command_line="Public")
 OR (process_name="powershell.exe" command_line="Compress-Archive" command_line="Signal"))
| eval actor=case(
    process_name="robocopy.exe", "UNC1151_robocopy_staging",
    process_name="powershell.exe" AND command_line LIKE "%Compress-Archive%", "Turla_powershell_staging"
)
| stats count by host, user, actor, process_name, command_line

Microsoft KQL

We built this KQL query around one principle — any process that is not Signal.exe touching Signal's database or config files is suspicious. Covers all four Windows-based actor techniques. 
KQLDeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("Roaming\\Signal\\sql\\db.sqlite", "Roaming\\Signal\\config.json")
| where InitiatingProcessFileName !~ "Signal.exe"
    and InitiatingProcessFileName !~ "Signal Helper.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, FolderPath, ActionType
| sort by Timestamp desc
Hunting for the core QR code phishing indicator — the sgnl://linkdevice URI in network traffic or browser activity. 
KQLDeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "sgnl://linkdevice"
    or RemoteUrl has_any ("signal-groups.tech", "signal-confirm.site",
        "signal-protect.host", "teneta.add-group.site")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName
| sort by Timestamp desc

Sigma

Sigma coverage for the multi-actor Signal database exfiltration pattern across all documented techniques. 
SIGMAtitle: Signal Desktop Database Exfiltration - Multi-Actor Detection
id: a7e3f192-4b8c-4d1e-9f6a-2c5d8e7b1a03
status: experimental
description: |
    Detects non-Signal processes accessing Signal Desktop database and config files.
    Covers WAVESIGN (APT44), PowerShell staging (Turla), Robocopy staging (UNC1151),
    and generic access patterns across all documented Russian actor techniques.
references:
    - https://intel.threadlinqs.com/#TL-2026-0111
    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.collection
    - attack.t1005
    - attack.t1213
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: file_access
    product: windows
detection:
    selection_signal_files:
        TargetFilename|contains:
            - '\Roaming\Signal\sql\db.sqlite'
            - '\Roaming\Signal\config.json'
    filter_legitimate:
        Image|endswith:
            - '\Signal.exe'
            - '\Signal Helper.exe'
    condition: selection_signal_files and not filter_legitimate
falsepositives:
    - Backup software scanning AppData directories
    - Antivirus full-disk scans including user profile
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

MITRE ATT&CK Mapping

TacticTechniqueIDContext
Initial AccessPhishing: Spearphishing LinkT1566.002Modified Signal group invites with malicious QR codes
Initial AccessPhishing: Spearphishing via ServiceT1566.003Signal-themed phishing delivered through messaging platforms
PersistenceAccount Manipulation: Device RegistrationT1098.005Linked Devices abuse for persistent account mirroring
Credential AccessSteal Application Access TokenT1528QR code scanning grants attacker device access to account
CollectionData from Local SystemT1005Signal database file theft (all Windows actors)
CollectionData from Information RepositoriesT1213Signal message history extraction via sqlcipher
CollectionData Staged: Local Data StagingT1074.001UNC1151 Robocopy staging to Public directory
ExecutionCommand and Scripting: PowerShellT1059.001Turla PowerShell Signal config staging
ExecutionCommand and Scripting: Windows Command ShellT1059.003WAVESIGN batch script execution
ExecutionCommand and Scripting: JavaScriptT1059.007UNC4221 PINPOINT geolocation payload
ExfiltrationExfiltration to Cloud StorageT1567.002APT44 Rclone exfiltration to cloud
DiscoverySystem Location DiscoveryT1614PINPOINT browser GeoLocation API abuse
Resource DevelopmentAcquire Infrastructure: DomainsT1583.001Phishing domains mimicking Signal
Lateral MovementRemote Services: SMB/Windows Admin SharesT1021.002Turla exfiltration to network share
Full MITRE ATT&CK mapping with 28 techniques: View coverage on Threadlinqs
Google Cloud Threat Intelligence report — 'Signals of Trouble' — documenting multiple Russia-aligned actors systematically targeting Signal Messenger through device linking abuse. Google Cloud Threat Intelligence report — 'Signals of Trouble' — documenting multiple Russia-aligned actors systematically targeting Signal Messenger through device linking abuse.

Indicators of Compromise

Network Indicators

TypeIndicatorContext
Domainsignal-groups[.]techUNC5792 — modified Signal group invite phishing
Domainsignal-confirm[.]siteSignal phishing infrastructure
Domainsignal-protect[.]hostUNC4221 — early 2022 fake security alert domain
Domainteneta.add-group[.]siteUNC4221 — Kropyva artillery app phishing kit
URIsgnl://linkdevice?uuid=Core phishing payload — malicious device linking URI

File/Path Indicators

TypeIndicatorContext
PathC:\ProgramData\Signal\Storage\sqlcipher.exeWAVESIGN tool staging (APT44)
PathC:\ProgramData\Signal\Storage\rc.exeWAVESIGN Rclone binary (APT44)
PathC:\Users\Public\data\signaUNC1151 Robocopy staging directory
Target%APPDATA%\Roaming\Signal\sql\db.sqliteSignal encrypted message database
Target%APPDATA%\Roaming\Signal\config.jsonSignal encryption key material

Behavioral Indicators

Timeline

DateEvent
2022-01UNC4221 begins Signal phishing operations with fake security alert pages on signal-protect[.]host
2022-07UNC5792 deploys modified Signal group invite pages on signal-groups[.]tech with sgnl://linkdevice substitution
2023-08-31SSU Ukraine and UK NCSC jointly disclose Infamous Chisel Android malware targeting Signal on battlefield-captured devices
2024-04-17GTIG publishes APT44/Sandworm profile documenting battlefield Signal account capture
2024-07UNC4221 deploys Kropyva artillery app phishing kit with PINPOINT geolocation payload
2024-10CERT-UA advisory on UAC-0195 (UNC5792) Signal account compromise
2024-12CERT-UA advisory on UAC-0185 (UNC4221) Signal phishing kit targeting Ukrainian military
2025-02-01Signal releases hardened device-linking protections cooperating with GTIG investigation
2025-02-19GTIG publishes "Signals of Trouble" — full report on five Russian-aligned actors targeting Signal
TL-2026-0111 on Threadlinqs Intelligence — Signal messaging hijacking by Russia-aligned actors tracked with 12/12 detection coverage. TL-2026-0111 on Threadlinqs Intelligence — Signal messaging hijacking by Russia-aligned actors tracked with 12/12 detection coverage.

Recommendations

  1. Update Signal immediately on all platforms (Android and iOS) to the latest version containing hardened device-linking protections released in February 2025
  2. Audit Linked Devices — instruct all personnel to check Signal Settings > Linked Devices and remove any unrecognized entries. Establish this as a recurring security hygiene practice
  3. Block known phishing domains at DNS and proxy: signal-groups[.]tech, signal-confirm[.]site, signal-protect[.]host, teneta.add-group[.]site
  4. Deploy endpoint detection for non-Signal process access to %APPDATA%\Roaming\Signal\sql\db.sqlite and config.json — the single highest-value detection covering all four Windows-based actor techniques
  5. Brief personnel on QR code phishing — emphasize that Signal QR codes should only be scanned from trusted physical devices, never from web links or emails

References

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0111.

// related_reports