The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an updated public service announcement warning that Russian intelligence-linked threat actors have expanded an ongoing phishing campaign targeting Signal users. Rather than attempting to intercept authentication codes alone, the attackers are now seeking victims' Signal Backup Recovery Keys, enabling them to restore encrypted cloud backups and gain access to historical conversations.
The latest advisory builds on an alert released in March 2026, when the agencies disclosed that Russian-backed operators were targeting users of commercial messaging applications, particularly Signal, through carefully crafted phishing campaigns. Those earlier attacks focused on compromising accounts by deceiving users into handing over verification codes, account PINs, or linking unauthorized devices to their Signal accounts, instead of defeating the application's end-to-end encryption.
According to the FBI, the threat actors have refined their social engineering techniques by impersonating automated Signal support accounts and introducing a new objective: convincing users to disclose the recovery keys that protect their encrypted backups.
The agencies said the campaign continues to concentrate on individuals considered to be of intelligence value, including current and former U.S. government officials, government personnel from allied nations, military members, political figures, journalists, and officials located in Ukraine.
The activity has been attributed to Russian Intelligence Services (RIS), including officers associated with Russia's Federal Security Service (FSB) Border Guards and additional actors operating on behalf of the Russian military. Security researchers publicly track the activity under the designations UNC5792 and UNC4221.
Phishing campaign evolves beyond account hijacking
The updated advisory describes a notable change in the attackers' methods. Earlier phishing attempts largely sought one-time verification codes, Signal PINs, or persuaded victims to connect attacker-controlled devices to their accounts. The current campaign instead attempts to obtain the cryptographic recovery key used by Signal's Secure Backups feature.
To begin the attack, the operators pose as Signal's support team and distribute fraudulent messages claiming the messaging platform is introducing mandatory two-factor verification following an alleged increase in attacks carried out by hackers from Iran and post-Soviet countries. The messages falsely state that the security changes require users to configure Signal Backups in order to avoid losing conversations and media files.
Victims are instructed to navigate through the application's backup settings, enable Secure Backups, reveal the Backup Recovery Key, copy it to the clipboard, and complete what appears to be a legitimate setup process.
Signal's Secure Backups feature allows users to store encrypted copies of conversations on the company's cloud infrastructure. Those backups remain protected through end-to-end encryption, with the Backup Recovery Key serving as the only credential capable of decrypting and restoring the archived data. Because Signal does not retain this key, anyone who obtains it can restore the encrypted backup onto another device.
After victims complete the initial steps, the attackers send a second phishing message while continuing to impersonate Signal support. This follow-up communication claims the user's account is experiencing a synchronization problem and warns that stored messages and media could be permanently lost unless immediate action is taken.
The fraudulent notification instructs users to revisit the backup settings, copy the Backup Recovery Key once again, and paste it directly into the conversation under the pretense of preventing data loss.
If victims comply, the attackers obtain the recovery key and use it to restore the encrypted backup on devices under their control. This grants access to previously archived communications, including private conversations and group chats.
The FBI emphasized that these attacks do not compromise Signal's encryption itself. Instead, they rely entirely on social engineering techniques that manipulate users into voluntarily surrendering the credentials needed to decrypt their own backups.
Compromised recovery keys remain a risk even after creating a new account
The updated advisory also highlights a recovery scenario that affected users may easily overlook.
According to the FBI, creating a new Signal account with the same phone number does not invalidate a Backup Recovery Key that has already been stolen. If attackers previously acquired the key, they may still be able to access any encrypted backups downloaded before the compromise was discovered.
To prevent future backup restorations using a compromised credential, users should generate a new Backup Recovery Key through Signal's backup settings. Creating a replacement key invalidates the previous one for subsequent backup downloads. However, the agencies cautioned that this action cannot revoke access to backups that attackers have already restored using the stolen key.
Agencies urge users to remain cautious of unsolicited support messages
The FBI and CISA reminded users that legitimate messaging platform support teams communicate only through official company email channels. They do not request verification codes through the application itself, nor do they send unsolicited messages instructing users to verify accounts, restore backups, or disclose recovery credentials.
Anyone who believes they may have interacted with the phishing campaign is encouraged to report the incident to the FBI's Internet Crime Complaint Center (IC3), a local FBI field office, or CISA.
The advisory accentuates the fact that well-designed encryption remains effective only when the credentials protecting it remain under the user's control. Rather than attempting to break modern cryptography, state-sponsored threat actors are increasingly directing their efforts toward manipulating trusted users into revealing the keys that unlock their own protected data.
Software provider Ivanti has released security updates for a newly identified vulnerability in its Endpoint Manager Mobile (EPMM) platform after confirming that the flaw has already been used in limited zero-day attacks.
The vulnerability, tracked as CVE-2026-6973, has been classified as high severity. According to Ivanti, the issue is caused by improper input validation, which refers to a weakness in how an application processes and checks incoming data before handling a request. If exploited successfully, the flaw could allow a remote attacker with administrator-level access to run arbitrary code on vulnerable systems.
Ivanti stated that the vulnerability affects EPMM version 12.8.0.0 and earlier releases. To reduce exposure, the company has issued patched versions including EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1. The company is also advising customers to review accounts with administrative privileges and rotate credentials where necessary, particularly in environments where earlier compromise activity may have occurred.
In its advisory, Ivanti said the exploitation activity observed so far appears to be limited in scope and requires valid administrator authentication in order to succeed. The company added that it has not identified active exploitation involving the additional vulnerabilities disclosed alongside CVE-2026-6973.
Ivanti also clarified that the issue impacts only the on-premises version of Endpoint Manager Mobile. The company said the flaw does not affect Ivanti Neurons for MDM, which is its cloud-based endpoint management platform. Other products, including Ivanti EPM and Ivanti Sentry, were also listed as unaffected.
Data published by internet monitoring organization Shadowserver Foundation currently shows more than 850 internet-accessible IP addresses associated with Ivanti EPMM deployments. Most of the exposed systems appear to be located in Europe, followed by North America. However, there is still no public visibility into how many of those servers have already installed the latest patches.
Alongside the actively exploited flaw, Ivanti disclosed fixes for four additional high-severity vulnerabilities identified as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. According to the company, these flaws could potentially be used to obtain administrator access, impersonate registered Sentry hosts to receive valid certificate authority-signed client certificates, invoke unauthorized methods, or gain access to restricted information stored within affected environments.
The company stated that it currently has no evidence showing these four vulnerabilities have been exploited in real-world attacks. Ivanti also noted that CVE-2026-7821 affects only organizations using Apple Device Enrollment configurations.
The latest disclosure follows earlier security incidents involving Ivanti EPMM earlier this year. In January, the company disclosed two separate code-injection vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which were also exploited as zero-days against what Ivanti described at the time as a very limited number of customers.
Ivanti now says customers who followed its earlier recommendation to rotate credentials after the January incidents are likely to face a significantly lower risk of exploitation from CVE-2026-6973. The guidance reflects a growing concern within the cybersecurity industry that attackers often attempt to reuse stolen administrative credentials across multiple intrusion campaigns.
The issue also drew attention from the U.S. Cybersecurity and Infrastructure Security Agency earlier this year. In April, the agency instructed federal civilian agencies to secure vulnerable systems against attacks involving CVE-2026-1340 within four days after adding the flaw to its Known Exploited Vulnerabilities catalog.
Ivanti products have repeatedly appeared in incident response investigations over the last several years, particularly because endpoint and device management platforms typically operate with elevated privileges across enterprise networks. Security agencies and researchers have warned that these systems remain attractive targets for threat actors seeking broad administrative control over organizational infrastructure.
According to data previously published by CISA, 33 Ivanti vulnerabilities have been publicly identified as exploited in the wild, including 12 that were also linked to ransomware-related activity.
Ivanti says it currently serves more than 40,000 customers worldwide through a partner network consisting of over 7,000 organizations.
Cybersecurity authorities in the United States and the United Kingdom have issued a joint alert about a previously undocumented malware strain called Firestarter that is capable of maintaining access on Cisco firewall systems even after updates and security patches are applied.
The malware affects Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Investigators have linked the activity to a threat actor tracked by Cisco Talos as UAT-4356, a group associated with espionage-focused operations, including campaigns such as ArcaneDoor.
According to assessments from the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC), the attackers likely gained initial entry by exploiting two vulnerabilities. One is an authorization flaw identified as CVE-2025-20333, and the other is a buffer overflow issue tracked as CVE-2025-20362. Both weaknesses could allow unauthorized access to targeted devices.
In one confirmed case involving a U.S. federal civilian executive branch agency, investigators observed a staged intrusion. The attackers first deployed a tool called Line Viper, which operates as a user-mode shellcode loader. This malware was used to establish VPN connections and extract sensitive configuration data from the device, including administrator credentials, certificates, and private cryptographic keys.
After this initial access phase, the attackers introduced the Firestarter backdoor to ensure continued control. CISA noted that while the precise date of the breach has not been verified, the compromise likely occurred in early September 2025, before the agency applied patches required under Emergency Directive 25-03.
Firestarter is designed to maintain persistence. Once installed, it continues functioning across system reboots, firmware upgrades, and security patching. In addition, if its process is terminated, it is capable of restarting itself automatically.
The malware achieves this persistence by integrating with LINA, a core process within Cisco ASA systems. It uses signal-handling mechanisms to detect termination events and trigger routines that reinstall the malware.
A joint technical analysis from CISA and NCSC found that Firestarter modifies the system’s boot configuration by altering the CSP_MOUNT_LIST file, ensuring that it executes during device startup. It also stores a copy of itself within system log directories and restores its executable into a critical system path, allowing it to run silently in the background.
Separate analysis from Cisco Talos indicates that the persistence mechanism is activated when the system receives a process termination signal, such as during a controlled or “graceful” reboot.
The primary function of Firestarter is to act as a backdoor, providing attackers with remote access to compromised devices. It can also execute arbitrary shellcode supplied by the attacker.
This capability is enabled by modifying an internal XML handler within the LINA process and injecting malicious code directly into memory. Execution is triggered through specially crafted WebVPN requests. Once a built-in identifier is validated, the malware loads and executes attacker-provided payloads in memory without writing them to disk. Authorities have not disclosed details about the specific payloads used in observed incidents.
Cisco has released a security advisory outlining mitigation steps, recommended workarounds, and indicators of compromise to help identify infections. The company advises organizations to fully reimage affected devices and upgrade to fixed software versions, regardless of whether compromise has been confirmed.
To check for signs of infection, administrators are instructed to run a diagnostic command that inspects running processes. If any output is returned indicating the presence of a specific process, the device should be treated as compromised.
As an alternative, Cisco noted that performing a complete power shutdown may remove the malware. However, this approach is not recommended because it introduces the risk of database or disk corruption, which could lead to system instability or boot failures.
To assist with detection, CISA has also released two YARA rules that can identify the Firestarter backdoor when analyzing disk images or memory dumps from affected systems.
There is a noticeable change in how attackers approach the network infrastructure. Instead of focusing only on endpoints such as laptops or servers, threat actors are placing long-term implants directly within security appliances that sit at the edge of enterprise networks.
Firestarter introduces a specific operational challenge. Even after vulnerabilities are patched, the implanted malware remains active because it embeds itself within core system processes and startup routines. This separates the persistence mechanism from the original point of entry.
The use of in-memory execution through WebVPN requests also reduces visibility. Since payloads are not written to disk, traditional file-based detection methods may not identify malicious activity.
For defenders, this means that patching alone cannot be treated as confirmation that a system is secure. Additional validation steps are required, including process inspection, firmware integrity checks, and monitoring for abnormal behavior in network appliances.
The incident also reinforces the importance of restricting exposure of management interfaces and ensuring that critical infrastructure devices are continuously monitored, not just periodically updated.
Cyberattacks are increasingly being used alongside conventional military actions in the ongoing conflict involving Iran, with both state-linked actors and loosely organised hacker groups targeting systems in the United States and Israel.
A recent incident involving Stryker illustrates the scale of this activity. On March 11, the company confirmed that a cyberattack had disrupted parts of its global network. Employees across several offices reportedly encountered login screens displaying the symbol of Handala, a group believed to have links to Iran. The attack affected systems within Microsoft’s environment, although the full extent of the disruption and the timeline for recovery remain unclear.
Handala has claimed responsibility for the operation, stating that it exploited Microsoft’s cloud-based device management platform, Intune. According to data from SOCRadar, the group alleged it remotely wiped more than 200,000 devices across 79 countries. These claims have not been independently verified, and attempts have been made to seek confirmation from Microsoft. The group described the attack as retaliation for a missile strike in Minab, Iran, which reportedly killed more than 160 people at a girls’ school.
This breach is part of a broader surge in cyber activity following Operation Epic Fury, with multiple pro-Iranian actors directing attacks against American and Israeli systems.
State-linked groups target essential systems
A cybersecurity assessment indicates that several groups associated with Iran’s Islamic Revolutionary Guard Corps, including CyberAv3ngers, APT33, and APT55, are actively targeting critical infrastructure in the United States.
These operations focus on industrial control systems, which are specialised computers used to manage essential services such as electricity grids, water treatment plants, and manufacturing processes. In some instances, attackers have gained access by using unchanged default passwords, allowing them to install malicious software capable of interfering with or taking control of these systems.
CyberAv3ngers has reportedly accessed industrial machinery in this way, while APT33 has used commonly reused passwords to infiltrate accounts at US energy companies. After gaining entry, the group attempts to weaken safety mechanisms by inserting malware into operational systems. APT55, meanwhile, has focused on cyber-espionage, targeting individuals connected to the energy and defence sectors to gather intelligence for Iranian operations.
Other groups linked to Iran’s Ministry of Intelligence and Security, including MuddyWater and APT34, are also involved in these campaigns. MuddyWater has targeted telecommunications providers, oil and gas companies, and government organisations. It functions as an initial access broker, meaning it breaks into networks, collects login credentials, and then passes that access to other attackers.
Handala has also claimed additional operations beyond the Stryker incident. These include deleting more than 40 terabytes of data from servers at the Hebrew University of Jerusalem and breaching systems linked to Verifone in Israel. However, Verifone has stated that it found no evidence of any compromise or service disruption.
Cyber operations are also being carried out by the United States and Israel.
General Dan Caine stated on March 2 that US Cyber Command was one of the first operational units involved in Operation Epic Fury. He said these efforts disrupted Iran’s communication and sensor networks, leaving it with reduced ability to monitor, coordinate, or respond effectively. He did not provide further operational details.
On March 13, Pete Hegseth confirmed that the United States is using artificial intelligence alongside cyber tools as part of its military approach in the conflict.
Separate reporting suggests that Israeli intelligence agencies may have used data obtained from compromised traffic cameras across Tehran to support planning related to Iran’s leadership, including Ayatollah Ali Khamenei.
Hacktivist networks operate with fewer constraints
Alongside state-backed actors, hacktivist groups have played a significant role. More than 60 such groups reportedly mobilised in the early hours of Operation Epic Fury, forming a coalition known as the Cyber Islamic Resistance.
This network coordinates its activity through Telegram channels described as an “Electronic Operations Room.” Unlike state-directed groups, these actors operate based on ideological motivations rather than central command structures. Analysts note that such groups tend to be less disciplined, more unpredictable, and more likely to act without regard for civilian impact.
Within the first two weeks of the conflict, the coalition claimed responsibility for more than 600 distinct cyber incidents across over 100 Telegram channels. These include attacks targeting Israeli defence-related systems, drone detection platforms such as VigilAir, and infrastructure affecting electricity and water services at a hotel in Tel Aviv.
The same group also claimed to have compromised BadeSaba Calendar, a widely used religious mobile application with more than five million downloads. During the incident, users reportedly received messages such as “Help is on the way” and “It’s time for reckoning,” based on screenshots shared online.
Some analysts assess that these groups may be using artificial intelligence tools to compensate for limited technical expertise, allowing them to scale operations more effectively.
Global actors join the conflict
Cyber intelligence findings suggest that participation in these operations is expanding geographically. Ongoing internet restrictions within Iran appear to be limiting the involvement of domestic hacktivists by disrupting Telegram-based coordination.
As a result, increased activity has been observed from pro-Iranian groups based in Southeast Asia, Pakistan, and other parts of the Middle East.
The Islamic Cyber Resistance in Iraq, also known as the 313 Team, has claimed responsibility for attacks on websites belonging to Kuwaiti government ministries, including defence-related institutions, according to a separate threat intelligence briefing. The group has also reportedly targeted websites in Romania and Bahrain.
Another group, DieNet, has claimed cyber operations affecting airport systems in Bahrain, Saudi Arabia, and the United Arab Emirates.
Russian-linked actors have also entered the landscape. NoName057(16), previously involved in cyber campaigns related to Ukraine, has launched distributed denial-of-service attacks, a technique used to overwhelm websites with traffic and render them inaccessible. Targets include Israeli municipal services, political platforms, telecommunications providers, and defence-related entities, including Elbit Systems, as noted by a threat intelligence monitoring platform.
The group is also reported to be collaborating with Hider-Nex, a North Africa-based collective that has claimed attacks on Kuwaiti government domains.
Some pro-Israeli hacktivist groups are active, including Anonymous Syria Hackers. One such group recently claimed to have breached an Iranian technology firm and released sensitive data, including account credentials, emails, and passwords.
However, these groups remain less visible. Analysts suggest that Israel primarily conducts cyber operations through state-controlled channels, reducing the role and visibility of independent actors. In addition, these groups often do not appear in alerts issued by agencies such as the US Cybersecurity and Infrastructure Security Agency, making their activities harder to track.
These developments suggest how cyber operations are becoming embedded in modern warfare. Such attacks are used not only to disrupt infrastructure but also to gather intelligence, impose financial strain, and influence perception.
The growing use of artificial intelligence, combined with the involvement of decentralised and ideologically driven groups, is making attribution more complex and the threat environment more difficult to manage. As a result, cyber capabilities are now a central component of how conflicts are conducted, extending the battlefield into digital systems that underpin everyday life.
Over six thousand SmarterMail systems sit reachable online, possibly at risk due to a serious login vulnerability, found by the nonprofit cybersecurity group Shadowserver. Attention grows as hackers increasingly aim for outdated corporate mail setups left unprotected.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance warning that insider threats represent a major and growing risk to organizational security. The advisory was issued during the same week reports emerged about a senior agency official mishandling sensitive information, drawing renewed attention to the dangers posed by internal security lapses.
In its announcement, CISA described insider threats as risks that originate from within an organization and can arise from either malicious intent or accidental mistakes. The agency stressed that trusted individuals with legitimate system access can unintentionally cause serious harm to data security, operational stability, and public confidence.
To help organizations manage these risks, CISA published an infographic outlining how to create a structured insider threat management team. The agency recommends that these teams include professionals from multiple departments, such as human resources, legal counsel, cybersecurity teams, IT leadership, and threat analysis units. Depending on the situation, organizations may also need to work with external partners, including law enforcement or health and risk professionals.
According to CISA, these teams are responsible for overseeing insider threat programs, identifying early warning signs, and responding to potential risks before they escalate into larger incidents. The agency also pointed organizations to additional free resources, including a detailed mitigation guide, training workshops, and tools to evaluate the effectiveness of insider threat programs.
Acting CISA Director Madhu Gottumukkala emphasized that insider threats can undermine trust and disrupt critical operations, making them particularly challenging to detect and prevent.
Shortly before the guidance was released, media reports revealed that Gottumukkala had uploaded sensitive CISA contracting documents into a public version of an AI chatbot during the previous summer. According to unnamed officials, the activity triggered automated security alerts designed to prevent unauthorized data exposure from federal systems.
CISA’s Director of Public Affairs later confirmed that the chatbot was used with specific controls in place and stated that the usage was limited in duration. The agency noted that the official had received temporary authorization to access the tool and last used it in mid-July 2025.
By default, CISA blocks employee access to public AI platforms unless an exception is granted. The Department of Homeland Security, which oversees CISA, also operates an internal AI system designed to prevent sensitive government information from leaving federal networks.
Security experts caution that data shared with public AI services may be stored or processed outside the user’s control, depending on platform policies. This makes such tools particularly risky when handling government or critical infrastructure information.
The incident adds to a series of reported internal disputes and security-related controversies involving senior leadership, as well as similar lapses across other US government departments in recent years. These cases are a testament to how poor internal controls and misuse of personal or unsecured technologies can place national security and critical infrastructure at risk.
While CISA’s guidance is primarily aimed at critical infrastructure operators and regional governments, recent events suggest that insider threat management remains a challenge across all levels of government. As organizations increasingly rely on AI and interconnected digital systems, experts continue to stress that strong oversight, clear policies, and leadership accountability are essential to reducing insider-related security risks.