Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.
Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.