Overview
- CISA says multiple actors are actively deploying commercial spyware and RATs to compromise mobile messaging apps through sophisticated social engineering.
- The agency highlights tactics that include device-linking QR abuse, zero-click exploits, and spoofed or lookalike apps that mimic trusted services.
- Targeting is described as opportunistic with a focus on high-ranking officials and civil society across the United States, the Middle East, and Europe.
- Named activity spans 2025 campaigns such as ProSpy and ToSpy, ClayRat, Signal account hijacking via linked devices, and LANDFALL delivered through Samsung CVE-2025-21042, plus a WhatsApp–iOS chain using CVE-2025-43300 and CVE-2025-55177 against fewer than 200 users.
- Recommended defenses include end-to-end encrypted communications, FIDO authentication, avoiding SMS-based MFA and personal VPNs, password managers, telecom PINs, prompt updates, iPhone Lockdown Mode, and Android settings like Play Protect and permission audits.