The FBI and CISA have updated their March 2026 advisory regarding Russian intelligence operations, specifically identifying a critical shift in tactics: threat actors are now aggressively targeting Signal Backup Recovery Keys. Unlike one-time verification codes (OTPs), these 30-digit keys provide attackers with long-term access to message history and the ability to take over accounts entirely. This pivot represents a significant escalation in risk for high-value targets, as it compromises the confidentiality of historical communications—even those encrypted at rest. Defenders must immediately treat these recovery keys with the same sensitivity as private encryption keys or root passwords.
Technical Analysis
- Affected Platforms: Signal Desktop (Windows, macOS, Linux) and Mobile (iOS, Android).
- Threat Actor: Russian Intelligence Services (associated with APT29).
- Attack Vector: Social Engineering (SE) and targeted spear-phishing.
- Objective: Exfiltration of the 30-digit Backup Recovery Key (file name often contains
signal_backup_keyor displayed in-app). - Mechanism:
- Actors conduct highly personalized social engineering attacks to convince the target to export or reveal their Recovery Key.
- Impact: Possession of this key allows the attacker to decrypt the target's encrypted message backup stored in the cloud or locally. It also facilitates unauthorized account re-registration on a new device, bypassing standard SMS/2FA verification.
- CVE Status: This advisory focuses on a Tactics, Techniques, and Procedures (TTP) shift rather than a specific software vulnerability. No CVE is applicable.
Detection & Response
Detecting the social engineering aspect of this attack is challenging, as it relies on human interaction. However, successful key theft often involves technical indicators such as the use of remote access tools (RATs) to view the screen, or automated scripts attempting to extract the key file. The rules below target these technical precursors and artifacts.
SIGMA Rules
YAML
---
title: Potential Signal Recovery Key Exfiltration via Clipboard
id: 8f4a2c1e-6d9f-4b5a-8c3d-1e2f3a4b5c6d
status: experimental
description: Detects processes accessing the clipboard that frequently occur during spear-phishing campaigns targeting sensitive data like recovery keys. This rule flags suspicious activity where Signal is active and clipboard access utilities spawn.
references:
- https://www.fbi.gov/news/press-rel
author: Security Arsenal
date: 2026/04/06
tags:
- attack.credential_access
- attack.t1115logsource:
category: process_creation
product: windows
detection:
selection_clipboard:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\python.exe'
CommandLine|contains:
- 'Get-Clipboard'
- 'clip'
filter_signal:
ParentImage|endswith: '\Signal.exe'
condition: selection_clipboard and filter_signal
falsepositives:
- Legitimate user copying data from Signal CLI (rare)
level: high
---
title: Signal Desktop Spawning Shell
id: 9a5b3d2e-7e0a-5c6b-9d4e-2f3a4b5c6d7e
status: experimental
description: Detects Signal Desktop spawning a command shell or PowerShell. This is unusual behavior for standard Signal usage and may indicate an attacker attempting to script key extraction or load malicious tools.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Signal.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
falsepositives:
- Legitimate debugging by user or developer
level: medium
---
title: Remote Access Tool Execution with Signal Active
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the execution of known Remote Access Tools (RATs) often used by threat actors to visually hijack screens to steal recovery keys or force OTP entry.
references:
- https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_rat:
Image|endswith:
- '\anydesk.exe'
- '\teamviewer.exe'
- '\supremo.exe'
- '\screenconnect.exe'
- '\quickassist.exe'
timeframe: 5m
filter_signal:
Image|endswith: '\Signal.exe'
condition: selection_rat and not filter_signal
falsepositives:
- Authorized IT support activity
level: high
**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for Signal Desktop process activity correlated with suspicious child processes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "Signal.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "python.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, CommandLine, FileName, FolderPath
| order by Timestamp desc
**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for remote access tools and Signal interaction
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "Signal.exe"
OR Name =~ "AnyDesk"
OR Name =~ "TeamViewer"
OR Name =~ "Supremo"
OR Name =~ "Parsec"
**Remediation Script (PowerShell)**
PowerShell
<#
.SYNOPSIS
Audit Script for Signal Security Configuration & Remote Access Tools.
.DESCRIPTION
Checks for the presence of Signal Desktop and common Remote Access Tools.
Note: Recovering from a Recovery Key compromise requires user action (regenerating the key).
#>
Write-Host "[+] Auditing Endpoint for Signal Security Risks..." -ForegroundColor Cyan
# Check for Signal Desktop Installation
$signalPath = "$env:LOCALAPPDATA\Programs\signal-desktop\Signal.exe"
if (Test-Path $signalPath) {
Write-Host "[!] Signal Desktop is installed. User action required to verify Recovery Key integrity." -ForegroundColor Yellow
Write-Host " Path: $signalPath"
} else {
Write-Host "[-] Signal Desktop not found." -ForegroundColor Gray
}
# Check for Common RATs (Indicators of potential remote hijacking)
$rats = @("AnyDesk.exe", "TeamViewer.exe", "tv_w64.exe", "Supremo.exe", "RemoteDesktopManager.exe", "ScreenConnect.ClientService.exe")
$foundRats = Get-Process -ErrorAction SilentlyContinue | Where-Object { $rats -contains $_.ProcessName }
if ($foundRats) {
Write-Host "[WARNING] Remote Access Tool detected running: " -ForegroundColor Red
$foundRats | ForEach-Object { Write-Host " - $($_.ProcessName) (PID: $($_.Id))" }
Write-Host "[ACTION] Verify if this session is authorized." -ForegroundColor Red
} else {
Write-Host "[+] No common Remote Access Tools detected running." -ForegroundColor Green
}
Remediation
Since this is primarily a compromise of user credentials (the Recovery Key) rather than a software bug, patching is not the solution. Identity Hygiene is the priority.
- Immediate Key Rotation: If a user suspects they revealed their key, they must immediately generate a new Recovery Key within Signal Settings (Chats > Chat Backups > Generate Recovery Key).
- Enable Registration Lock: This is the most critical defense. It requires the user's Signal PIN to re-register the device on a new phone, preventing account takeover even if the recovery key is stolen.
- Path: Settings > Account > Registration Lock.
- Revoke Linked Devices: Users should audit "Linked Devices" in Signal settings and remove any unfamiliar devices immediately.
- Disable Cloud Backups (Optional): For high-risk personnel, consider disabling cloud backups entirely if the historical data is not mission-critical, removing the Recovery Key attack vector.
- User Awareness: Explicitly warn users: Never share the 30-digit Backup Recovery Key, even with individuals claiming to be IT support or law enforcement. Legitimate support staff never need this key.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachsignalapt29social-engineering
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.