The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a warning about malicious actors that are actively using remote access trojans (RATs) and commercial spyware to target users of mobile messaging apps.

“These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device,”

the agency said.

CISA highlighted several major cyber campaigns uncovered this year, including Russia-aligned threat actors exploiting Signal’s linked-device feature to hijack user accounts. Other incidents include the ProSpy and ToSpy Android spyware operations, which impersonated apps like Signal and ToTok to target users in the UAE and gain persistent access to their devices.

Additionally, the ClayRat spyware campaign targeted users in Russia through Telegram channels and fake phishing pages that mimicked popular apps such as WhatsApp, Google Photos, TikTok, and YouTube to breach sensitive data.

According to the CIA, the threat actors employ a variety of strategies to gain access, such as spreading phony chat apps, zero-click attacks, and device-linking QR codes.

Additionally, CISA noted that these actions target high-value persons, including civil society organizations and individuals in the US, the Middle East, and Europe, as well as current and former high-ranking government, military, and political figures.