Citizen Lab reported two covert surveillance campaigns that exploited weaknesses in global mobile signalling infrastructure to track targets’ locations across borders. The operations, labeled STA1 and STA2, abused legacy SS7 and newer Diameter protocols, with one campaign also using SIMjacker-style zero-click binary SMS and malicious SIM Toolkit commands to try to turn a handset into a covert beacon. Researchers said the activity marks the first time real-world attack traffic has been directly linked to mobile operator signalling systems, showing attackers impersonating operators, rotating identities across countries, manipulating routing paths, and evading signalling firewalls while exploiting weak authentication and trusted telecom interconnect relationships.
The campaigns were observed using operator identifiers and infrastructure tied to networks in Europe, Africa, the Middle East, and Asia, including telecoms cited as transit or entry points such as 019Mobile, Tango Networks U.K., and Airtel Jersey. Citizen Lab said the activity is consistent with commercial surveillance platforms serving government intelligence customers, and one campaign may have links to an Israeli geo-intelligence provider, though no vendor or operator was conclusively attributed. The researchers warned that abuse of leased or intermediary signalling access, combined with long-standing flaws in roaming trust models, has enabled large volumes of hard-to-detect location tracking that may persist for years across 3G, 4G, and 5G-connected environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Following publication of the research, Citizen Lab and media reports said routing evidence and other clues suggested one campaign may be tied to an Israeli-based commercial geo-intelligence or surveillance company. The researchers did not name a vendor and said the evidence was not sufficient for definitive attribution.
Citizen Lab publicly disclosed its investigation into two surveillance actors, STA1 and STA2, saying it had linked real-world attack traffic to mobile operator signalling infrastructure for the first time. The report said the campaigns were consistent with commercial surveillance platforms supporting state intelligence customers, but stopped short of naming a specific vendor or government.
In February 2025, Citizen Lab observed STA2 combine SS7 probing, a zero-click binary SMS, malicious SIM Toolkit commands, and Diameter queries in an attempt to turn a target phone into a covert location beacon. The campaign showed abuse of both legacy and newer mobile network signalling protocols.
In November 2024, Citizen Lab observed threat actor STA1 carry out a multi-stage location-tracking operation targeting a high-profile subscriber in the Middle East. The actor switched between SS7 and Diameter, rotated operator identities across countries, and manipulated routing paths to evade signalling firewalls.
Citizen Lab reported telemetry indicating covert abuse of mobile signalling infrastructure had persisted for multiple years, with related operator identifiers and infrastructure appearing from 2022 onward across numerous countries. The activity suggested long-running exploitation of SS7 and Diameter trust relationships in the telecom ecosystem.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourceinfosec.pub
Open sourcecitizenlab.ca
Open sourcecyberscoop.com
Open sourcetechcrunch.com
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.