CERT-UA has issued a warning about a targeted malware campaign using Signal to infect Ukrainian defense sectors. The campaign involves sending malicious messages disguised as meeting reports, containing archive files with PDFs and executables. Once executed, the DarkTortilla cryptor decrypts and runs Dark Crystal RAT (DCRAT), allowing remote control of infected devices. CERT-UA tracks the campaign under UAC-0200 and attributes it to Russian threat actors exploiting Signal’s “Linked Devices” feature to gain unauthorized access to accounts.
The latest attacks, which began in February 2025, focus on military-related topics, including UAVs and electronic warfare.
Signal users in Ukraine are urged to turn off automatic attachment downloads, check linked devices regularly, and enable two-factor authentication. These recommendations are in response to an increasing trend of Russian hackers targeting military personnel and sensitive information. The malware’s persistence and evolving tactics highlight a continued escalation in cyber espionage against Ukraine’s defense infrastructure.
In a related development, Signal has faced criticism for allegedly halting responses to Ukrainian law enforcement’s requests regarding Russian cyber threats. Despite this, Signal’s CEO, Meredith Whittaker, refuted claims that the company had ceased cooperating with Ukraine. This ongoing tension between Ukrainian authorities and Signal underscores the broader cybersecurity challenges facing Ukraine amid its ongoing conflict with Russia.
Meanwhile, Russia’s cybersecurity efforts are ramping up as cyber actors increasingly exploit vulnerabilities in widely used messaging platforms.
As the conflict progresses, Ukraine’s IT Army continues its offensive against Russian targets, shifting focus to regional telecoms in border areas. The IT Army’s DDoS attacks aim to overwhelm networks, and their growing success has highlighted the vulnerabilities in Russia’s infrastructure. These developments show a complex cyber landscape where both sides are using increasingly sophisticated tactics to gain intelligence and disrupt operations, signaling the importance of securing communication channels in wartime.
