In partnership with
☀️ Good morning and happy Monday. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Germany formally blames Russia for a coordinated Signal phishing campaign targeting MPs, diplomats, and journalists, Toronto police dismantled a drive-by SMS blaster operation that blocked 911 calls across the city, a new threat group called UNC6692 is using Microsoft Teams to deploy a custom three-part malware suite, utility giant Itron disclosed a breach of its internal IT network, and a commercial spyware tool called Morpheus is hijacking WhatsApp accounts using a fake biometric prompt.
🔥 Top Stories
01 — Germany Formally Attributes Signal Phishing Wave to Russia
Nation-State Threats
Germany has escalated its response to the Signal phishing campaign we covered Sunday — formally attributing the operation to Russian-linked state actors and opening a federal espionage investigation. The campaign is now confirmed to have targeted a broad sweep of German society: Members of Parliament, senior civil servants, diplomats, and journalists covering sensitive political beats. Federal prosecutors have opened a formal probe after authorities concluded the campaign was "presumably run from Russia."
The attack method remains consistent and devastatingly simple: impersonate Signal support staff, trick targets into sharing their verification code or PIN, re-register the account on a new device, and gain silent access to every private group chat the target belongs to. By compromising a single MP's account, Russia gains access to contact networks, unencrypted attachments, and candid internal political discussions that never appear on official audited channels. Germany's decision to name Russia publicly signals a shift — these social engineering campaigns are now being treated as acts of sovereignty violation, not nuisance crime.
02 — Drive-By SMS Blasters Were Cruising Toronto Streets, Blocking 911 and Hijacking Phones
Cyber Attacks
Toronto Police's Project Lighthouse dismantled a criminal operation that mounted IMSI-catcher-style "SMS blaster" hardware inside vehicles and drove through the Greater Toronto Area, forcing tens of thousands of phones to disconnect from legitimate cell towers and connect to the attackers' rogue hardware instead. From that position, the devices sent fraudulent texts impersonating Canada Post, major banks, and government agencies — while simultaneously recording 13 million network disruption events.
The most alarming detail: during the windows when phones were hijacked, victims' ability to reach 911 could have been impaired. Because the phone believed it was connected to a legitimate tower, it may have failed to seek an emergency alternative network. The technology is a direct descendent of IMSI-catchers once used exclusively by intelligence agencies — now in the hands of three Toronto suspects running a smishing-for-profit operation. Physical infrastructure, criminal hands, public safety consequences.
03 — UNC6692 Uses Microsoft Teams to Deploy a Three-Part Custom Malware Suite
Threat Intelligence
Google's Threat Intelligence Group has formally identified UNC6692 — a new threat cluster weaponizing Microsoft Teams cross-tenant chat to deploy SNOW, a previously undocumented modular malware family. The attack chain: first flood the target's inbox with thousands of spam emails to create chaos, then send a Teams message posing as IT helpdesk offering to fix it. When the target clicks the "fix" link, an AutoHotKey dropper launches a headless Microsoft Edge browser and installs the SNOWBELT backdoor as a browser extension.
From there, SNOWGLAZE establishes a WebSocket C2 channel through Heroku, and SNOWBASIN handles command execution and harvests Active Directory files and LSASS memory — exfiltrating via AWS S3 buckets. Seventy-seven percent of identified targets held senior-level positions. The fix: in Microsoft Teams admin settings, restrict cross-tenant External Access to verified partner domains only. This is no longer a theoretical Teams risk — it's an active, documented, human-operated attack chain with a custom toolkit built specifically for it.
04 — Itron Discloses Internal IT Breach — The Smart Meter Company Behind America's Grid
Critical Infrastructure
Itron Inc. — the Liberty Lake, Washington company whose smart meters and grid management software underpins utility infrastructure across North America and Europe — has filed an SEC Form 8-K disclosing an unauthorized intrusion into its internal corporate IT network detected on April 13. External forensic advisors were engaged, federal law enforcement was notified, and the company says customer-hosted platforms and grid-management software show no evidence of compromise.
The key detail for defenders: Itron's network segmentation held. The breach stayed inside the corporate IT environment and didn't pivot to the operational technology side — the part that touches actual grid infrastructure. But the strategic value of breaching Itron's corporate network shouldn't be underestimated. Internal documentation at a smart meter vendor contains architecture diagrams, vulnerability research, and utility customer relationship data that are highly valuable for future supply chain attacks. The 8-K framing — insured, contained, non-material — is exactly what a sophisticated attacker wants you to conclude.
05 — Morpheus Spyware Hijacks WhatsApp Using a Fake Biometric Prompt
Mobile Security
Italian surveillance firm IPS Intelligence has been linked to Morpheus — Android spyware that tricks targets into installing a fake "System Update" app, then uses Accessibility Service abuse to silently grant itself full device control. The most dangerous feature: a fake UI overlay that intercepts biometric authentication when the victim opens WhatsApp. While the victim thinks they're doing a routine face or fingerprint scan, Morpheus is in the background linking a malicious secondary device to the WhatsApp account — giving attackers full persistent access to all messages, files, and contacts.
Morpheus can also programmatically disable the microphone and camera kill-switch indicators in Android's Quick Settings panel, so victims have no visual sign they're being recorded. This is commercial spyware sold to state clients, now confirmed active on the devices of political activists and dissidents. End-to-end encryption means nothing when the attacker has become a legitimate ghost participant in the conversation via a compromised linked device.
📊 By The Numbers
13 million — Network disruption events recorded by Toronto's drive-by SMS blaster operation
77% — Share of UNC6692's confirmed targets who held senior-level positions
April 13 — Date Itron detected unauthorized access to its internal corporate network
3 — Components in the SNOW malware suite — SNOWBELT, SNOWGLAZE, SNOWBASIN
0 — Zero-day exploits used by Morpheus — it only needs Accessibility Services permission
⚡ The Signal
Each of these top stories is an attack on something you already trust.
Germany's Signal users trusted a "support message." Toronto residents trusted their phone's connection to a tower. UNC6692's victims trusted a Teams message from what looked like their own IT department. Itron's customers are trusting that "corporate IT" and "operational technology" are effectively separate. Morpheus victims trusted their biometric prompt.
None of these were defeated by advanced exploits. They were defeated by trust — in a familiar app, a familiar signal, a familiar colleague, a familiar update, a familiar fingerprint reader. The consistent attack pattern of 2026 isn't sophistication. It's legitimacy. The platform is real. The signal is real. The prompt is real. Only the intent behind it isn't.
The question for every security team going into this week: what does your organization trust that it has never verified?
🔍 What You May Have Missed
PhantomRPC — a new Windows RPC privilege escalation technique — Researchers disclosed PhantomRPC, a novel technique abusing Windows Remote Procedure Call interfaces to escalate privileges without triggering standard EDR detections. Another post-compromise "low-noise" escalation path added to the attacker toolkit.
Trigona ransomware adopts custom tool for stealthy data theft — The Trigona ransomware group has developed a custom exfiltration tool designed to blend into normal network traffic and evade DLP solutions before encryption begins. The shift toward bespoke tooling signals operational maturity.
Hackers actively exploiting critical Breeze Cache flaw in WordPress — A critical vulnerability in the Breeze Cache plugin — used by millions of WordPress sites — is being actively exploited to inject malicious code into page templates. If you run WordPress with Breeze Cache, update immediately.
📅 What to Watch
Germany-Russia espionage probe — formal federal investigation is open; watch for diplomatic consequences and whether EU partners issue coordinated attributions.
Project Lighthouse prosecutions — three suspects arrested; watch for charges and whether the rogue hardware is linked to organized crime networks beyond Toronto.
UNC6692 expansion — SNOW malware is newly documented; watch for additional GTIG advisories and Microsoft's official response to the cross-tenant Teams abuse.
Itron forensic findings — breach vector still undisclosed; watch for updated SEC filings as the forensic investigation concludes.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Arnold Schwarzenegger has a newsletter.
Yeah. That Arnold Schwarzenegger.
So do Codie Sanchez, Scott Galloway, Colin & Samir, Shaan Puri, and Jay Shetty. And none of them are doing it for fun. They're doing it because a list you own compounds in ways that social media never will.
beehiiv is where they built it. You can start yours for 30% off your first 3 months with code PLATFORM30. Start building today.