{"id":60358,"date":"2026-03-22T23:22:07","date_gmt":"2026-03-22T23:22:07","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/"},"modified":"2026-03-22T23:22:07","modified_gmt":"2026-03-22T23:22:07","slug":"russians-are-posing-as-signal-support-to-launch-phishing-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/","title":{"rendered":"Russians are posing as Signal support to launch phishing attacks"},"content":{"rendered":"<p><span class=\"label\">Infosec In Brief<\/span> Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday.<\/p>\n<p>The attacks target people with high intelligence value, like former government officials, military figures, politicians, and even journalists [We\u2019re flattered \u2013 <i>Ed<\/i>] have snared thousands of individual accounts, allowing the Russians to read and send messages, and gather info from contact lists.<\/p>\n<p>The attackers send messages advising users of &#8220;suspicious activity&#8221; related to their accounts and urge clicking a link to conduct a verification process. Once victims click, the baddies connect their accounts to the victim&#8217;s, or completely take over the account if the user is daft enough to submit credentials or a 2FA code.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Signal remains a highly secure way to exchange messages, but not even the best end-to-end encryption can stop intruders if users invite them in.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>The FBI and CISA offer <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.ic3.gov\/PSA\/2026\/PSA260320\">standard anti-phishing recommendations<\/a> in their brief about the attacks.<\/p>\n<h3 class=\"crosshead\">Uncle Sam seizes four domains used for Iranian psyops<\/h3>\n<p>The US Department of Justice has seized domains associated with the Iran-linked group behind the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/11\/us_medtech_firm_stryker_cyberattack_iran\/\">cyberattack on med-tech firm Stryker<\/a>.<\/p>\n<p>These websites, the feds say, were used to incite violence and claim credit for disrupting the US med-tech firm&#8217;s operations. The domains were Justicehomeland[.]org, Handala-Hack.[to], Karmabelow80[.]org and Handala-Redwanted[.]to.<\/p>\n<p>The attack in question hit <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/11\/us_medtech_firm_stryker_cyberattack_iran\/\">US med-tech firm Stryker<\/a> through a hole in <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/19\/microsoft_intune_lockdown_stryker\/\">Microsoft Intune<\/a>, wiping out information on employees&#8217; devices. Iranian hacktivist group Handala, considered to be a <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/10\/cybercrime_iran_mois\/\">front for the nation\u2019s Ministry of Intelligence and Security (MOIS)<\/a>, claimed credit for the Stryker attack on one of the sites, Handala-hack[.]to.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Operators of the sites also used them to doxx members of the Israeli Defense Forces (IDF), and to post claims of having stolen 851GB of confidential data from the Sanzer Hasidic Jewish Community.<\/p>\n<p>FBI chief Kash Patel warned in a statement: &#8220;This FBI will hunt down every actor behind these cowardly death threats and cyberattacks and will bring the full force of American law enforcement down on them.&#8221;<\/p>\n<p>But someone claiming to represent Handala was not impressed, posting a <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/flare.io\/learn\/resources\/blog\/handala-seizure\">defiant message<\/a> that states: &#8220;They may have taken down our website, but they will never take down our spirit, our resolve, or the power of truth.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>That &#8220;truth&#8221; apparently includes allegations of &#8220;witchcraft ceremonies&#8221; by the Sanzer community, according to the <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-disrupts-iranian-cyber-enabled-psychological-operations\">FBI&#8217;s statement<\/a>, echoing age-old antisemitic myths used to justify violence towards Jewish people.<\/p>\n<h3 class=\"crosshead\">Banking services company warns 670,000 people of data theft<\/h3>\n<p>Marquis, a company that provides services to banks, sent out warning notices to more than 670,000 people that their information was stolen by a ransomware gang last August.<\/p>\n<p>The letter [<a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/ago.vermont.gov\/sites\/ago\/files\/documents\/2026-03-16%20Marquis%20Software%20Solutions%20Data%20Breach%20Notice%20to%20Consumers.pdf\">PDF<\/a>] poses the terrifying question: &#8220;Who Are We, and Why Do We Have Your Information?&#8221;, before explaining the company is a marketing provider for financial institutions.<\/p>\n<p>Stolen data <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/marquis-ransomware-gang-stole-data-of-672-000-people-in-2025-cyberattack\/\">reportedly<\/a> included sensitive info like Social Security numbers, taxpayer IDs, and account info.<\/p>\n<p>In an attempt to make things right, Marquis offered victims one month&#8217;s free membership to a service from Epiq Privacy Solutions that&#8217;s meant to monitor misuse of personal information and resolve identity theft. It also encouraged victims to &#8220;remain vigilant by reviewing your account statements and credit reports for any unauthorized activity over the next 12 to 24 months,&#8221; as if we all don&#8217;t have enough on our plates already.<\/p>\n<h3 class=\"crosshead\">LeakNet discovers ClickFix social engineering<\/h3>\n<p>The LeakNet ransomware group has moved on from its usual tactic of buying stolen credentials and now uses the ClickFix social engineering scam, according to a new <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat\">report<\/a> from security shop Reliaquest.<\/p>\n<p>ClickFix, which <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/08\/22\/clickfix_report\/\">we&#8217;ve<\/a> <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/11\/24\/clickfix_attack_infostealers_images\/\">covered<\/a> <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2026\/03\/06\/microsoft_spots_clickfix_campaign_abusing\/\">before<\/a>, uses fake messages, delivered through compromised but legitimate websites, to convince victims to take actions such as running commands that load a rootkit or other malware.<\/p>\n<p>LeakNet uses ClickFix to serve a fake &#8220;prove you are not a robot&#8221; dialog that asks users to open the Windows Run dialog with the Win + R shortcut and paste in a command that appears to be a link to a Cloudflare Turnstile verification page, but actually runs an <code>msiexec<\/code> command.<\/p>\n<p>That command downloads and executes a cleverly disguised loader based on the (legitimate) Deno runtime, which then runs the bad code directly in memory, helping to disguise the attack from file-focused forensic scanning techniques.<\/p>\n<p>The tactic, Reliaquest warns, could let LeakNet expand beyond its current hit rate of about three victims per month.<\/p>\n<h3 class=\"crosshead\">The AWS sandbox that isn&#8217;t<\/h3>\n<p>Security outfit BeyondTrust Phantom Labs <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.beyondtrust.com\/blog\/entry\/pwning-aws-agentcore-code-interpreter\">claims<\/a> that the AWS Bedrock AgentCore code interpreter&#8217;s sandbox isn&#8217;t much of a sandbox at all. Although Amazon said running this service in sandbox mode blocked external access entirely, Phantom Labs claims that public DNS queries get through, which could let malevolent outsiders establish command-and-control channels and suck out data.<\/p>\n<p>Phantom Labs says it told AWS about the problem last September through a HackerOne report, and AWS deployed a fix in November 2025 \u2013 but later rolled it back &#8220;due to other factors.&#8221; The end result? In December, Amazon updated its documentation to recommend customers use virtual private cloud mode if they want complete control over all inbound traffic.<\/p>\n<p>Amazon awarded the researcher a $100 gift card to the AWS Gear Shop, Phantom Labs says.<\/p>\n<h3 class=\"crosshead\">Strava leaks location of aircraft carrier<\/h3>\n<p>French newspaper Le Monde last week <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.lemonde.fr\/en\/international\/article\/2026\/03\/20\/stravaleaks-france-s-aircraft-carrier-located-in-real-time-by-le-monde-through-fitness-app_6751640_4.html\">reported<\/a> that a mariner aboard an aircraft carrier went for a seven-kilometer run on its deck \u2013 while tracking it with his smartwatch, which later uploaded the run to the exercise-tracking site Strava.<\/p>\n<p>The aircraft carrier\u2019s location was therefore visible to the world, which <i>The Register<\/i> understands is a fact navies don\u2019t like to reveal. France\u2019s armed forces should know better, given president Emmanuel Macron\u2019s bodyguards reportedly <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/10\/29\/macron_location_strava\/?_gl=1*65sk86*_ga*MTI0MjE1MDMxNS4xNzE5OTg5NTg5*_ga_JXW44Y23NM*czE3NzQyMTY3MDMkbzIwNjYkZzEkdDE3NzQyMTY3MDgkajU1JGwwJGgw\">leaked their locations<\/a> with the fitness app. <i>\u2013 Simon Sharwood<\/i> \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2026\/03\/22\/russian_messaging_support_phishing_scam\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PLUS: US takes down Iranian propaganda sites; Marketing company asks &#8216;Why Do We Have Your Information?&#8217; And more! Infosec In Brief\u00a0 Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-60358","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-22T23:22:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Russians are posing as Signal support to launch phishing attacks\",\"datePublished\":\"2026-03-22T23:22:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\"},\"wordCount\":981,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\",\"name\":\"Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2026-03-22T23:22:07+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage\",\"url\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Russians are posing as Signal support to launch phishing attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-22T23:22:07+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Russians are posing as Signal support to launch phishing attacks","datePublished":"2026-03-22T23:22:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/"},"wordCount":981,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/","name":"Russians are posing as Signal support to launch phishing attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2026-03-22T23:22:07+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2acB8L0sgqqeV15JwKJCoQAAAAtE&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/russians-are-posing-as-signal-support-to-launch-phishing-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Russians are posing as Signal support to launch phishing attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60358"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60358\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}