Prepared by: RESIDENT.NGO ThreatLab
Detection Date: October 3, 2025
Publication Date: October 6, 2025 (updated on October 8, 2025 with fake download progress example)
This writeup details a targeted Signal Account Takeover (ATO) Phishing Campaign identified by RESIDENT.NGO. The campaign utilizes spear phishing conducted in Polish or English via Signal Messenger and targets Belarus-related public figures and media workers residing outside of Belarus. The goal is to trick users into surrendering their 6-digit SMS Signal registration verification code, leading to account compromise.
Indicators and Detection
Users should look for these indicators to detect the phishing attempt and prevent account takeover:
Impersonation: An incoming message from an unknown number or profile named “Signal Support.” The profile is not verified and displays the warning “Profile names are not verified.”
Suspicious Content: Messages falsely claim a login attempt from a specific location (e.g., Minsk, Kyiv) and hardware (e.g., iPhone 13).
Interactive: The message may instruct the user to reply with a specific command (e.g., /cancel) to prevent the claimed login or change of phone number.
Credential Request: An immediate, subsequent request in the chat to provide the 6-digit SMS verification code that was just received. Signal will never ask for such code.
Tactics, Techniques, and Procedures (TTPs)
This campaign aims to panic the victim by blending a high-urgency message with credible-looking technical data.
Step 1: Profile Impersonation and Contact Request (MITRE ATT&CK code T1566.003 Spearphishing via Service)
The attacker initiates contact from a profile named “Signal Support.” The profile falsely lists the legitimate Signal domain, support.signal.org, as its associated website.
The attackers rely on users ignoring the safety warnings that Signal automatically displays for unknown contacts, such as “Profile names are not verified.” The user is prompted to “Accept” the message request.
Step 2: Fear Induction and Customised Targeting
The attacker generates fear and urgency by specifically citing a false login attempt from suspicious locations. The attacker escalates the fear by explicitly mentioning a request to change the victim’s phone number to an unknown international number. The user is instructed to reply with a command like /cancel to “block” the suspicious login attempt. By replying, the user confirms the number is active and accepts the attackers’ false premise that they can secure the account via chat.
To intensify the sense of urgency, the attacker may introduce an additional stage in the exchange – a fabricated “data download” sequence. The fake message displays a staged progress indicator (e.g., Download progress: 10%… 20%… 50%… 90%) followed by a completion notice: “Data successfully downloaded and sent to [email protected]”. This simulated exfiltration message serves to heighten panic and reinforce the illusion of an ongoing compromise. By implying that sensitive data is being extracted and transmitted, the attacker pressures the victim to act immediately.
Step 3: Triggering and Harvesting the SMS Code (MITRE ATT&CK code T1598 Phishing for Information)
Upon receiving the “cancel” confirmation, the attackers cause Signal to send the official 6-digit verification code via SMS to the victim’s phone. If the victim shares this code, the attacker successfully registers the account, leading to a complete account takeover.
Attribution
Due to the type of the attack, direct attribution is not possible. However, based on the specific targeting of Belarus-related public figures and media workers residing outside of Belarus, RESIDENT.NGO hypothesizes that the attackers are linked to the Belarusian state.
Protection Measures
Enable Registration Lock: a security feature that requires you to enter your Signal PIN in addition to the SMS verification code to register your phone number on a new device. If Registration Lock is currently disabled, enable it immediately: Go to Settings > Account > Registration Lock and set a strong PIN that you will remember.
Never Share Codes in Chats: Signal will NEVER ask for the 6-digit SMS code or your PIN outside of the normal device registration procedure. Any request for them is a scam.
Don’t Accept Contact Requests: Do not click “Accept” on requests from unknown parties claiming to be “Signal Support.” Accepting exposes your profile and enables the attack.
Incident Response
If Targeted: Do not engage or reply (this includes replying with “/cancel”). Use the in-app Block and Report functions immediately.
If SMS Code Compromised (PIN code was OFF or you gave up your PIN code): The account is vulnerable. You must immediately re-register your own Signal instance on your primary device. This invalidates the attacker’s active session. After regaining control, set a different PIN code and enable Registration Lock immediately.
If Account Taken Over: If locked out, alert your contacts through other means (email, phone call, social networks) that your Signal account has been compromised and should not be trusted.
If you need further guidance: Contact Signal’s official support team through their website. Additionally, contact RESIDENT.NGO at [email protected] to report the incident.