Signal Messenger A.I CyberSecurity Scoring
Signal Messenger
Company Information
Website:https://signal.org
Employees number:109
Number of followers:36,218
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:signal.org
Signal Messenger Risk Score (AI oriented)
Between 650 and 699
Signal MessengerTechnology, Information and Internet
Updated:
01/06/2026
01/06/2026
688/1000
Weak
B
Signal Messenger Global Score (TPRM)
xxxx
Signal MessengerTechnology, Information and Internet
Score locked

Signal MessengerWeak
Current Score
688B (WEAK)
01000
5 incidents
-19.33 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
690
JUNE 2026
707
Cyber Attack
01 Jun 2026 • Signal Messenger
Signal: Hackers Target Signal Users to Steal Backups in New Attack Wave
Signal Users Targeted in Phishing Campaign Exploiting Backup Recovery Keys
688
CRITICAL-19
SIG1780295029
Signal Users Targeted in Phishing Campaign Exploiting Backup Recovery Keys
A coordinated phishing campaign is exploiting Signal’s in-app messaging to deceive users into surrendering their backup recovery keys, granting attackers access to years of encrypted conversations. The scheme, first reported in late May 2026, impersonates "Signal Support" with fraudulent messages warning of imminent data loss due to a fabricated "sync issue."
Victims receive direct messages from an unverified account labeled "Signal Support," urging them to act quickly to avoid permanent data loss. The message instructs users to navigate to Signal’s backup settings, copy their recovery key, and paste it into the chat claiming this will "link" their backup. In reality, the key decrypts stored chat histories, allowing attackers to access messages, media, and sensitive documents in plaintext.
Unlike previous attacks that hijacked live accounts via registration codes, this campaign focuses on stealing archived backups, targeting journalists, dissidents, and anti-Chinese Communist Party activists. Security researchers confirm the messages are part of a broader, politically motivated effort, with human rights defenders and civil society groups disproportionately affected.
Signal has reiterated that its official support team will never initiate contact within the app or request recovery keys, PINs, or registration codes. Any such message should be treated as malicious. While Signal’s infrastructure encrypts backups, the recovery key remains the sole decryption method making it a prime target for phishing.
Experts note that backups often contain sensitive historical content assumed to be secure. To mitigate risk, users are advised to enable registration lock, use strong PINs, and monitor device-change alerts. Disappearing messages can also limit exposure by reducing stored data. The campaign underscores the growing sophistication of phishing tactics targeting secure communication tools.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
706
APRIL 2026
705
MARCH 2026
723
Cyber Attack
17 Mar 2026 • Signal Messenger
Bundesnachrichtendienst, WhatsApp and Signal: Signal Cyberattack in Germany Targets Politicians Through Impersonation
German Government Officials Targeted in Coordinated Social Engineering Attack on Signal and WhatsApp
703
CRITICAL-20
WHABUNSIG1773750470
German Government Officials Targeted in Coordinated Social Engineering Attack on Signal and WhatsApp
A sophisticated cyberattack has targeted high-ranking German officials, including former Bundesnachrichtendienst (BND) Vice President Arndt Freytag von Loringhoven, by impersonating Signal support staff. The campaign, which appears to be part of a broader effort, has affected multiple politicians and government figures across Germany, raising concerns about the security of encrypted communication channels used for sensitive exchanges.
Attackers exploited trust in well-known messaging platforms by posing as legitimate support personnel, attempting to extract account credentials, redirect verification codes, or gain unauthorized access to private conversations. Unlike traditional cyberattacks that target encryption vulnerabilities, this campaign relied on social engineering manipulating users into voluntarily surrendering access.
Signal and WhatsApp, favored by officials for their strong encryption, became prime targets due to their perceived security. The attackers leveraged the platforms’ reputations to make their impersonation attempts more convincing, highlighting a growing risk: even secure tools are vulnerable when users are deceived.
German security institutions are expected to strengthen operational security measures in response, as the incident underscores how threat actors view messaging platforms as a potential entry point into sensitive networks. The attacks serve as a reminder that human behavior, not just technical defenses, remains a critical vulnerability in cybersecurity.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2026
721
JANUARY 2026
721
DECEMBER 2025
720
NOVEMBER 2025
737
Cyber Attack
01 Nov 2025 • Signal Messenger
Signal, Surfshark and UltraViewer: Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Malware Campaign
Silver Fox APT Targets Chinese-Speaking Users with Stealthy AtlasCross RAT Campaign
718
HIGH-19
SURSIGULT1774535812
Silver Fox APT Targets Chinese-Speaking Users with Stealthy AtlasCross RAT Campaign
A Chinese-nexus advanced persistent threat (APT) group, tracked as Silver Fox (also known as Void Arachne and SwimSnake), is conducting a sophisticated campaign targeting Chinese-speaking users and professionals. Security researcher Maurice Fielenbach of Hexastrike uncovered the operation, which leverages typosquatted domains impersonating trusted brands like Surfshark, Signal, and Zoom to distribute malware.
The attackers use stolen Extended Validation (EV) code-signing certificates issued to a Vietnamese entity, DUC FABULOUS CO.,LTD (valid until May 2027) to bypass security checks and establish deep persistence in enterprise networks. Victims are lured into downloading a ZIP archive containing a triple-nested Setup Factory installer, which deploys a trojanized Autodesk component (Schools.exe) alongside legitimate decoy applications like UltraViewer to avoid suspicion.
The malware employs advanced evasion techniques, including Process Environment Block (PEB) walking and ROR13 hashing, to dynamically resolve APIs and evade static analysis. It retrieves a second-stage shellcode payload from its command-and-control (C2) server over raw TCP, then loads the AtlasCross RAT entirely in memory using a reflective loader, leaving no disk footprint.
At the core of the attack is AtlasCross RAT, which integrates a custom PowerShell execution engine (PowerChell). This framework disables critical security mechanisms, including:
- Antimalware Scan Interface (AMSI)
- Event Tracing for Windows (ETW)
- Constrained Language Mode (CLM)
- ScriptBlock logging
The RAT communicates with its C2 infrastructure using ChaCha20 encryption and hardware-generated random keys. To maintain persistence, it terminates TCP connections used by Chinese security tools like 360 Total Security and Huorong, preventing signature updates without killing processes. Additional tactics include DLL injection into WeChat (Wxfun.dll) for data harvesting and RDP session hijacking via tscon.exe.
The campaign, active between November 2025 and March 2026, demonstrates Silver Fox’s evolution from driver-based process termination to network-level disruption, signaling a rapidly maturing threat actor. Key indicators of compromise (IOCs) include the stolen EV certificate (2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C), C2 domain (bifa668.com), and typosquatted domains (www-surfshark[.]com, signal-signal[.]com). Security teams are advised to monitor for non-standard processes loading System.Management.Automation.dll and scheduled tasks under \Microsoft\Windows\AppID\.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
OCTOBER 2025
737
SEPTEMBER 2025
737
AUGUST 2025
736
JULY 2025
740
Vulnerability
01 Jul 2025 • Signal Messenger
Apple and Signal: iOS Flaw Exposed ‘Deleted’ Signal Messages
Apple Patches iOS Flaw Exposing 'Deleted' Signal Messages in FBI Investigation
735
CRITICAL-5
SIGAPP1777020266
Apple Patches iOS Flaw Exposing "Deleted" Signal Messages in FBI Investigation
Apple has released emergency security updates to fix a critical privacy flaw in iOS that allowed supposedly deleted notification data including message previews from encrypted apps like Signal to persist on iPhones and be recovered later. The vulnerability, patched in iOS 26.4.2 and iOS 18.7.8, was exploited by U.S. investigators to extract Signal messages from a suspect’s device without breaking encryption.
The issue came to light after a 404 Media report revealed that the FBI recovered Signal messages from an iPhone linked to a criminal case involving vandalism and an assault on a police officer at the ICE Prairieland Detention Facility in Alvarado, Texas, in July. Despite the Signal app being deleted from the device, investigators retrieved message previews from the iPhone’s notification database, which had retained the data due to a logging bug.
According to Apple’s security advisory, the flaw caused notifications marked for deletion to remain stored on the device, even after disappearing from the user interface. This could expose sensitive content, such as message text or login codes, from any app. The company addressed the issue with improved data redaction, ensuring deleted notifications are no longer recoverable.
Signal acknowledged the fix in a statement, confirming that no action is required from users beyond installing the iOS update. Once applied, the patch deletes inadvertently preserved notifications and prevents future retention of such data. The company praised Apple’s swift response, emphasizing the importance of ecosystem-wide efforts to protect private communications.
The incident underscores the risks of system-level data retention, even in encrypted messaging apps. While Signal’s end-to-end encryption remained intact, the flaw created a secondary record of conversations that persisted after deletion. Users are advised to update their devices to the latest iOS versions to mitigate the vulnerability.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2024
767
Cyber Attack
01 Nov 2024 • Signal Messenger
WhatsApp and Signal: Cyberattaque: La Russie pirate WhatsApp et Signal
Russian State-Backed Hackers Target WhatsApp and Signal Accounts in Global Espionage Campaign
736
CRITICAL-31
WHASIG1773347242
Russian State-Backed Hackers Target WhatsApp and Signal Accounts in Global Espionage Campaign
Russian state-linked cyber actors have launched a large-scale campaign to hijack WhatsApp and Signal accounts, primarily targeting government officials, military personnel, diplomats, and journalists. The attacks, first detected in late 2024, exploit trusted features of the messaging platforms rather than vulnerabilities in their encryption.
For WhatsApp, hackers trick victims into scanning a malicious QR code or clicking a link under the guise of joining a group. Instead of adding the user to a chat, the action grants attackers full access to the account, allowing them to read messages undetected while the victim remains unaware. On Signal, attackers impersonate the platform’s "Security Support" chatbot, convincing users to share SMS verification codes enabling them to register the victim’s account on their own device.
Dutch intelligence agencies (MIVD and AIVD) confirmed the campaign’s origins, warning that high-value targets including journalists from German outlets like Zeit, Correctiv, and netzpolitik.org have been compromised since at least November 2024. While neither WhatsApp nor Signal’s underlying security was breached, the attacks leverage social engineering to bypass protections.
Swiss authorities, including the Federal Intelligence Service (SRC), noted the campaign reflects a broader shift toward mobile-focused espionage. The Swiss federal administration mandates Threema Work for sensitive communications but does not outright ban WhatsApp on official devices. However, officials emphasize caution with unsolicited messages, as legitimate services like Signal will never request verification codes or PINs via in-app messages.
The incidents underscore the growing threat to widely used encrypted platforms, particularly when attackers exploit human trust rather than technical flaws.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Signal Messenger ??
What was Signal Messenger's A.I Rankiteo Cyber Score in June 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in May 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in April 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in March 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in February 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in January 2026 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in December 2025 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in November 2025 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in October 2025 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in September 2025 ??
What was Signal Messenger's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Signal Messenger's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Signal Messenger ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Signal Messenger's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?