Signal Messenger Exploited in Targeted Attacks on Defense Industry Employees

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of targeted cyberattacks against employees of the defense-industrial complex and members of the Defense Forces of Ukraine.

These attacks have been ongoing since at least the summer of 2024 and have escalated in recent months.

The attackers are using the Signal messenger app to distribute malicious files, often by compromising existing contacts’ accounts to increase trust.

Attack Vector and Tactics

During March 2025, CERT-UA observed that attackers were sending archived messages via Signal, claiming to contain reports from meetings.

These archives typically included a PDF file and an executable file classified as DarkTortilla, a cryptor/loader tool designed to decrypt and launch the DarkCrystal RAT (DCRAT) remote control software.

The use of popular instant messaging apps like Signal expands the attack surface by creating uncontrolled information exchange channels, bypassing traditional security measures.

The content of the decoy messages has shifted to focus on topics such as UAVs and electronic warfare equipment since February 2025.

The attackers exploit the trust associated with receiving messages from known contacts, whose accounts have been compromised beforehand.

This tactic allows them to bypass security protocols and gain access to sensitive information within the defense-industrial complex.

CERT-UA has tracked this activity under the identifier UAC-0200 and urges recipients of such suspicious messages to report them immediately.

Cyber Threat Indicators

CERT-UA has identified several files and network indicators associated with these attacks. The files include various executable and archive files with specific hashes, which are used to distribute the DarkCrystal RAT.

Network indicators involve several IP addresses and URLs linked to the attackers’ infrastructure.

These indicators are crucial for identifying and mitigating potential threats within the defense sector.

In response to these targeted attacks, CERT-UA emphasizes the importance of vigilance and prompt reporting of suspicious activities.

The use of instant messengers for distributing malware highlights the evolving nature of cyber threats and the need for robust security measures across all communication channels.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free