Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

WAVESIGN

WAVESIGN is a Windows batch script used to decrypt and exfiltrate data from Signal Desktop. Google Threat Intelligence Group (GTIG) reported its use by the Russian threat actor APT44, also known as Sandworm and FROZENBARENTS, which multiple governments attribute to GRU Unit 74455. The tooling has been described in the context of Russian operations supporting military objectives in Ukraine, including efforts to extract data from secure messaging applications such as Signal and Telegram from battlefield or captured devices. The content specifically and repeatedly identifies WAVESIGN as responsible for decrypting and exfiltrating Signal Desktop data on Windows systems; one source also broadly describes it as used to steal Signal and Telegram data from battlefield devices. The malware is associated with targeting Ukrainian military communications and defense-related entities. No specific indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

GTIG has also identified APT44 leveraging WAVESIGN, a Windows Batch script responsible for decrypting and exfiltrating data from Signal Desktop.

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1200Hardware AdditionsEvidence1

"APT44 ... has attempted to exfiltrate information from Telegram and Signal ... likely via physical access to devices obtained during operations in Ukraine."

T1566PhishingEvidence1

"...resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance... These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions... embedded in phishing pages..."

Collection

2 techniques
T1005Data from Local SystemEvidence1

Russian threat actors have targeted secure messaging applications used by the Ukrainian military to communicate and orchestrate military operations, including via attempts to exfiltrate locally stored databases of these apps

T1213Data from Information RepositoriesEvidence1

“…including via attempts to exfiltrate locally stored databases of these apps…”

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
rescana blogNews
Feb 15, 2026
Coordinated State-Sponsored Cyber Attacks Target Battlefield Management and Defense Supply Chains: Google Links China, Iran, Russia, North Korea

Windows batch-script tool used to decrypt and exfiltrate Signal and Telegram data from battlefield devices.

Read more
security affairsNews
Feb 14, 2026
Suspected Russian hackers deploy CANFAIL malware against Ukraine

Tool used by APT44 in operations targeting Signal/Telegram data; used to steal information from Windows and Android devices (per the cited summary).

Read more
the hacker newsNews
Feb 13, 2026
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations

Windows batch script used to decrypt and exfiltrate data from Signal Desktop after likely physical access to devices.

Read more
the hacker newsNews
Feb 19, 2025
Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes

Windows Batch script used by Sandworm/APT44 in activity targeting Signal; specific capabilities are not detailed in the provided content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.