Back to Intelligence

Signal Social Engineering Campaign: Detection and Response for Backup Key Theft

SA
Security Arsenal Team
May 31, 2026
6 min read

An active social engineering campaign is currently targeting high-value users—specifically journalists and activists—on the Signal messaging platform. Attackers are sending text messages (SMS) impersonating "Signal Support," urging recipients to hand over their 30-digit Signal backup recovery key.

Unlike standard phishing attacks that aim for credentials to access future data, this campaign targets the "crown jewels" of user privacy: the recovery key. Possession of this key allows an attacker to decrypt downloaded message backups, granting them full retrospective access to encrypted chat history, contacts, and media. Defenders must act immediately to educate users and implement controls to detect and mitigate the fallout of this specific technique.

Technical Analysis

Affected Products:

  • Signal Messenger (All platforms: Android, iOS, Desktop)

Attack Vector:

  • Social Engineering (Smishing): Attackers utilize SMS to initiate contact, creating a false sense of urgency by posing as official support.

Attack Mechanics:

  1. Initial Contact: The target receives an SMS message appearing to come from Signal Support. The message typically claims the user's account will be suspended or that verification is required.
  2. The Hook: The attacker requests the user provide their 30-digit alphanumeric "Signal PIN" or "Recovery Key."
  3. Exploitation: The Signal backup recovery key is used to encrypt local message backups. Signal stores the encrypted backup on local device storage or cloud drives (e.g., Google Drive, iCloud). The key itself is never stored by Signal servers.
  4. Impact: If an attacker obtains the key, they can download the encrypted backup blob from the user's cloud storage (if compromised separately or via public links) and decrypt the entire message history offline. This bypasses the end-to-end encryption protection of active transmission.

Exploitation Status:

  • Confirmed Active Exploitation: Security Affairs has confirmed this campaign is actively targeting users in the wild.

Detection & Response

While this attack originates via SMS (which is often invisible to EDR), the secondary stages often involve the user clicking a link or interacting with a phishing site. The detection rules below focus on identifying potential phishing keywords in corporate web/mail proxies and hunting for anomalous behavior associated with Signal Desktop processes if a malicious link is clicked.

YAML
---
title: Potential Signal Phishing Keywords - Proxy/Email Logs
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential Signal-related phishing by identifying keywords like "recovery key" or "support" in URLs or email bodies often used in smishing campaigns.
references:
  - https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.social_engineering
  - attack.credential_access
logsource:
  category: proxy
  product: any
detection:
  selection:
    cs-method|contains:
      - 'GET'
      - 'POST'
    cs-uri-query|contains|all:
      - 'signal'
      - 'support'
    cs-uri-query|contains:
      - 'recovery'
      - 'key'
      - 'verify'
  condition: selection
falsepositives:
  - Legitimate navigation to Signal support documentation (support.signal.org)
level: medium
---
title: Signal Desktop Process Anomalous Network Connection
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects Signal Desktop (Signal.exe) initiating connections to non-Signal domains, which may indicate a user clicked a phishing link from a targeted SMS or is communicating with a C2 domain.
references:
  - https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\Signal.exe'
    DestinationHostname|contains:
      - 'signal.org'
  filter_main_legit:
    DestinationHostname|endswith:
      - '.signal.org'
  condition: selection and not filter_main_legit
falsepositives:
  - Link previews in chats (may generate connections to non-signal.org domains)
level: low


**KQL (Microsoft Sentinel / Defender)**

Hunts for web proxy logs containing keywords associated with the active campaign and checks for Signal desktop network anomalies.

KQL — Microsoft Sentinel / Defender
// Hunt for Signal Phishing Keywords in Proxy Logs
let Keywords = dynamic(["recovery key", "Signal Support", "verify account", "backup key"]);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "Signal.exe" 
// Note: If SMS clicked on mobile, look for mobile browsers in DeviceEvents if available, or firewall logs
| where RemoteUrl has_any (Keywords) 
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend URLProps = pack_all()
| summarize count() by DeviceName, RemoteUrl


**Velociraptor VQL**

Hunts for the presence of Signal backup files on the endpoint to assess the blast radius if a key is compromised. It also checks for recent access to these files.

VQL — Velociraptor
-- Hunt for Signal Backup Files to Assess Impact
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs=["/Users/*/Library/Application Support/Signal/*.db", 
                 "%APPDATA%\Signal\*.sqlite", 
                 "%APPDATA%\Signal\*.sql",
                 "C:\Users\*\AppData\Roaming\Signal\*.db"])
WHERE Mode.ModeString =~ "r"
-- Check for backup.zip or encrypted backup artifacts often named backup.signal
OR FullPath =~ "backup"


**Remediation Script (PowerShell)**

This script assists in the audit phase by locating Signal installations and associated backup files on Windows endpoints. In the event of a confirmed compromise (key theft), these files must be securely deleted and the app re-installed.

PowerShell
<#
.SYNOPSIS
    Audit Script: Detect Signal Installation and Backup Files
.DESCRIPTION
    Locates Signal executable and identifies backup files for risk assessment.
    Run this to determine if the targeted user has local backups that could be decrypted by the stolen key.
#>

$ErrorActionPreference = "SilentlyContinue"

# Check for Signal Desktop Installation
$SignalPath = "$env:LOCALAPPDATA\Programs\signal-desktop\Signal.exe"
$SignalDataPath = "$env:APPDATA\Signal"

Write-Host "[+] Checking for Signal Desktop Installation..."
if (Test-Path $SignalPath) {
    Write-Host "[!] Signal Desktop Installed: $SignalPath" -ForegroundColor Yellow
    
    if (Test-Path $SignalDataPath) {
        Write-Host "[+] Scanning for potential backup/database files in $SignalDataPath..."
        $Files = Get-ChildItem -Path $SignalDataPath -Recurse -File | 
                 Where-Object { $_.Extension -match '\.(db|sql|log|)' -or $_.Name -match 'backup' }
                 
        if ($Files) {
            $Files | ForEach-Object {
                Write-Host "    - Found: $($_.FullName) (Modified: $($_.LastWriteTime))" -ForegroundColor Cyan
            }
        } else {
            Write-Host "    [+] No standard backup files found in local profile."
        }
    }
} else {
    Write-Host "[-] Signal Desktop not found on this endpoint."
}

# Note: If a compromise is confirmed, the remediation is manual:
# 1. Uninstall Signal.
# 2. Delete %APPDATA%\Signal.
# 3. Reinstall Signal and register with a new phone number (or same number after reset).
# 4. Generate NEW safety numbers with all contacts.

Remediation

If a user has fallen victim to this campaign and provided their 30-digit recovery key, immediate and aggressive remediation is required:

  1. Device Wipe & Reinstall: Mere removal of the chat history is insufficient. The user must uninstall the Signal application completely.
  2. Sanitize Storage: Delete all associated local backup directories (e.g., %AppData%\Signal on Windows, ~/Library/Application Support/Signal on macOS).
  3. Cloud Backup Purge: If the user had enabled cloud backups (Google Drive/iCloud), they must manually delete the Signal Backup folder from their cloud storage immediately. The attacker has the key for the old backup; deleting the backup ensures they cannot decrypt it.
  4. Re-register: Reinstall Signal and re-register the device.
  5. Notify Contacts: Instruct the user to send a "Safety Number Change" notification to all contacts. Since the attacker may have read past messages, the user must inform contacts that prior communications may have been compromised and out-of-band verification should occur for sensitive topics.
  6. User Education: Reinforce that Signal Support will never ask for your PIN or Recovery Key. Legitimate support does not require access to these secrets.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachsignalsocial-engineeringsmishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action