CISA Emergency Alert: Commercial Spyware Exploiting Zero-Click and Malicious QR Codes to Hijack Messaging Apps

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent nationwide alert warning that multiple cyber threat actors are actively exploiting commercial spyware to compromise users of popular mobile messaging applications.

According to CISA, these operations are not random: attackers are using highly targeted, technically sophisticated methods to infiltrate messaging platforms used by government leaders, civil society groups, journalists, and high-risk individuals across the United States, Europe, and the Middle East.

CISA states that threat actors “use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”

The alert notes that attackers are using multiple vectors to compromise messaging app accounts, often without the victim ever realizing something has gone wrong.

1. Phishing + Malicious QR Codes

Threat actors abuse app features such as device-linking functions, tricking victims into scanning malicious QR codes that silently bind their messaging accounts to attacker-controlled devices.

CISA reports that adversaries “use tactics such as phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.”

2. Zero-Click Exploits

One of the most alarming techniques involves zero-click vulnerabilities — attacks that require no interaction at all.

According to CISA, adversaries are leveraging “zero-click exploits, which require no direct action from the device user.”

These exploits enable silent installation of spyware that can:

• Read messages
• Access contact lists
• Harvest sensitive files
• Activate microphones
• Track device location

3. App Impersonation

Threat actors also send messages pretending to be platforms like Signal or WhatsApp, urging users to install “urgent updates” or “security patches.”

CISA notes actors “impersonate messaging app platforms, such as Signal and WhatsApp,” to trick victims into installing spyware-laced apps or clicking malicious login portals.

While some infections appear opportunistic, analysts warn that many campaigns are aimed at high-value individuals.

CISA says there is growing evidence that cyber actors are specifically focusing on:

• Current and former high-ranking government, military, and political officials,
• Civil society organizations (CSOs),
• And targeted individuals across the United States, Middle East, and Europe.

This pattern strongly resembles previous targeting by state-sponsored groups known for operating or purchasing commercial spyware.

Messaging apps have become central to modern communication — used for diplomacy, activism, journalism, and coordination during conflicts or elections. As a result, they present a unique intelligence value for both state-backed and criminal actors.

Once compromised, attackers can:

• Read encrypted messages before encryption
• Track locations
• Hijack the account
• Pivot to other apps
• Spread malware to contacts
• Eavesdrop on conversations

The consequences are severe for high-risk individuals, especially those operating in repressive environments.

To defend against these attacks, CISA strongly encourages all messaging app users — especially civil society organizations, government personnel, and politically exposed individuals — to follow the updated security guidance.

Related Posts:

• QR Codes Coming to Linux Kernel Panics with 6.12 Release
• Serbian Spyware Scandal: Civil Society Under Siege
• The Hidden Danger of PDF Files with Embedded QR Codes, Researchers Warn
• QR Code Phishing Attacks Escalate: Sophisticated Campaign Targets Chinese Citizens
• “Unicode QR Code Phishing”: The New Threat You Need to Know