As Ukraine continues to defend itself on the battlefield, a different kind of assault is targeting its military communications. Russian hackers have launched sophisticated spear-phishing attacks through Signal, the messaging app relied on by Ukrainian forces for secure communications. The tactics are clever, and frankly, terrifying.
These attackers aren’t amateurs. They’ve compromised existing Signal accounts and use them to send what look like legitimate messages to military personnel. Google’s Threat Intelligence Group has identified multiple Russian groups targeting Ukrainian government and military personnel since 2023. Imagine getting a message from your commander that’s actually from some guy in Moscow. Not great.
The digital battlefield is just as dangerous—when your commander texts, it might be a hacker with bad intentions.
The malicious messages often contain attachments disguised as meeting reports or military documents. Click on them, and boom—your device is infected with DarkTortilla cryptor or Dark Crystal RAT. These nasty pieces of software give attackers remote access to infected systems. Every keystroke, every photo, every message becomes an open book to the enemy.
What makes these attacks particularly effective is their timing and relevance. The phishing lures reference current military concerns—UAVs, electronic warfare, the stuff Ukrainian soldiers actually care about. The hackers have been busy since March 2025, adapting their techniques and refining their targeting. Among the most dangerous tactics identified is the use of captured devices from battlefields to reroute linked accounts for surveillance purposes.
The consequences aren’t just digital. Compromised communications have reportedly led to real-world artillery strikes. That’s right—intercepted messages translate directly to actual explosions. This isn’t just annoying spam; it’s a matter of life and death. The attacks function as a form of operational intelligence that reveals Ukrainian military techniques and positions to adversaries.
Security experts tracking these threats under the UAC-0200 cluster recommend simple but essential steps: disable automatic downloads in Signal, check linked devices regularly, and enable two-factor authentication.
The “Linked Devices” feature is particularly vulnerable—attackers can connect their own devices to victims’ accounts using malicious QR codes.
This cyber front represents a significant escalation in Russia’s campaign against Ukraine. As military technologies advance, so do the methods to compromise them. The battlefield extends well beyond trenches and tanks now. It’s on your phone, in your pocket, everywhere you communicate.
