russia_aligned_threat_actors

Also known asrussia_aligned_threat_actors

Russia-aligned threat actors are actively engaged in campaigns targeting users of mobile messaging applications, including Signal, WhatsApp, and Telegram. Their operations leverage a combination of sophisticated social engineering and technical exploits, such as abusing device-linking features, deploying zero-click vulnerabilities, and distributing spoofed or impersonated apps. Notable malware families and campaigns associated with these actors include ProSpy, ToSpy, ClayRat, and LANDFALL, with observed targeting of both Android and iOS platforms. These actors have demonstrated a focus on high-value individuals, specifically government, military, political officials, and members of civil society, with operations spanning the United States, Middle East, and Europe. Campaigns have included the exploitation of specific vulnerabilities (e.g., CVE-2025-43300, CVE-2025-55177, CVE-2025-21042) and the use of phishing, malicious QR codes, and impersonation of legitimate messaging platforms. The threat landscape is dynamic, with both opportunistic and targeted elements, and these actors are considered highly capable and persistent. No specific sub-groups or aliases are mentioned in the provided content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Nov 25, 2025

CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users

Russia-aligned threat actors are targeting users of the Signal messaging app by exploiting the linked devices feature to hijack accounts, as part of broader campaigns leveraging commercial spyware and RATs against high-value individuals.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.