Dossier March 10, 2026: The Signal Hijack & the Shadow of UNC5792
STRATEGIC ADVISORY: THE END OF ENCRYPTED IMMUNITY
The "Digital Sanctuary" is under immediate threat. While global attention is fixed on the kinetic stalemate in Minab, a silent offensive is breaching the last lines of private communication. Dutch intelligence (AIVD/MIVD) has verified that Russian-linked threat actors, specifically the group tracked as UNC5792, are successfully bypassing the perceived safety of Signal and WhatsApp. This is not a breach of the encryption protocols themselves, but a masterclass in social engineering and "Feature Abuse."
THE ANATOMY OF THE ATTACK: HOW THEY GET IN
Russian state hackers are not "cracking" codes; they are tricking users into handing over the keys. Two primary vectors have been identified in this large-scale global campaign:
The "Ghost Support" Bot: Hackers are deploying sophisticated chatbots masquerading as "Signal Support" or "Meta Security Team." They send urgent messages claiming "unauthorized login attempts" or "security audits." Victims are pressured to provide their 6-digit verification code or Signal PIN. Once provided, the attacker registers the account on their own device, effectively "kidnapping" the identity.
GhostPairing (QR-Code Poisoning): This is the most dangerous vector. Attackers send malicious links disguised as invitations to exclusive group chats or "Government Security Updates." Clicking these links triggers a hidden pairing flow, silently linking the attacker’s browser as an invisible "Linked Device." The victim keeps access as normal, but the attacker can now read every message and view every media file in real-time.
THE TACTICAL LINK: RUSSIA & IRAN
We are tracking a synchronization between Russian UNC5792 and Iranian-linked groups like "Handala Hack." As the conflict in Minab intensifies, these actors are sharing infrastructure to target independent journalists, military personnel, and dissidents. By hijacking these accounts, they gain access to confidential sources and internal strategy, effectively turning encrypted apps into surveillance tools.
DIGITAL SELF-DEFENSE PROTOCOL:
Audit Linked Devices: Go to Settings -> Linked Devices NOW. If you see a session you did not start (e.g., "Windows/Chrome in Moscow" or simply an unknown browser), unlink it immediately.
Registration Lock: Enable it on Signal (Settings > Privacy > Registration Lock). This prevents anyone from re-registering your number without your personal PIN.
Two-Step Verification: Mandatory for WhatsApp.
Identify Duplicates: Watch for duplicate identities in group chats. If a member appears twice or changes their name to "Deleted Account," it is a high-probability sign of a compromised profile.
SOURCES & VERIFICATION:
AIVD Official Security Alert (March 9, 2026): https://english.aivd.nl/latest/news/2026/03/09/russia-targets-signal-and-whatsapp-accounts
Malwarebytes Labs - Phishing Campaign Analysis: https://www.malwarebytes.com/blog/news/2026/03/signal-and-whatsapp-accounts-targeted
NCSC Cyber Advisory: https://www.ncsc.nl/actueel/nieuws
CivicoHub Independent Ground Intelligence
#CyberSecurity #WhatsAppHack #Signal #Privacy #DigitalAutonomy #UNC5792 #CivicoHub #AIVD
Hans 🙋♂️
Regendans
NieuwsJunkies.nl
Left Laser
CivicoHub
Signal Nieuws & Tips
anon_4601
Jan Vlug