A major investigation has revealed that sophisticated threat actors are exploiting fundamental vulnerabilities in global mobile networks to track users worldwide.<\/p>\n
By abusing legacy 3G SS7 and 4G Diameter signaling protocols, hackers are successfully bypassing telecom firewalls to conduct silent, cross-border espionage.<\/p>\n
The extensive Citizen Lab research uncovered two distinct surveillance threat actors, identified as STA1 and STA2, operating long-running espionage campaigns.<\/p>\n
These groups exploit the inherently trusted nature of telecom interconnect networks<\/a> to launch their attacks.<\/p>\n By functioning as \u201cGhost Operators,\u201d they manipulate routing data to mask their origins while pinpointing the exact locations of high-value targets.<\/p>\n These global attacks are made possible by structural weaknesses in international mobile communications.<\/p>\n While the older SS7 protocol completely lacks basic authentication, the newer 4G Diameter protocol suffers from weak security implementation across the industry.<\/p>\n Attackers heavily abuse \u201ccombined attach\u201d procedures, allowing roaming devices to register with 3G and 4G networks simultaneously, enabling seamless protocol pivoting.<\/p>\n The Citizen Lab investigation highlighted two unique approaches to covert mobile surveillance. STA1 focuses entirely on aggressive network routing manipulation by spoofing legitimate operator hostnames and abusing third-party access points.<\/p>\n Meanwhile, STA2 takes a more invasive approach by combining network protocol queries with a silent exploit targeting the device itself.<\/p>\n STA1 primarily conducts its tracking attacks using signaling routing manipulation as its main vector. To execute these operations, this threat actor rapidly switches between legacy SS7 and newer Diameter protocols to find vulnerabilities in telecom firewalls.<\/a><\/p>\n Furthermore, STA1 evades detection by spoofing network data<\/a>, allowing its malicious requests to blend in as legitimate operator traffic.<\/p>\n STA2 SIM Exploiter<\/strong><\/p>\n In contrast, STA2 relies heavily on a zero-click binary SMS payload as its primary attack vector. This actor\u2019s strategy combines SS7 network probing and malicious SIM Toolkit commands<\/a> to extract location data directly from the target\u2019s device.<\/p>\n To ensure the victim remains unaware, STA2\u2019s evasion tactic exploits silent, low-priority push messages that do not trigger phone alerts.<\/p>\n The ongoing surveillance crisis highlighted by Citizen Lab reveals a major blind spot<\/a> in the global telecommunications industry.<\/p>\n Mobile operators currently rely on third-party interconnect routing hubs with dangerously weak traffic screening.<\/p>\n Until the industry abandons legacy peer-to-peer trust models<\/a> and enforces strict cryptographic authentication, mobile users worldwide will remain vulnerable to unseen tracking.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHackers Abuse SS7 and Diameter Protocols<\/strong><\/h2>\n
![\"Attack](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjnTefvLcNK4xlZIlc5sj8OYEwXBVbLEqUmQhdj4BY5mnZZv6P52C4NneaSKmBLxP0EuPwSXyKkEESgqm9Xem92rjLiCylBR-6-cDQrut90rDLvZivnvEKkkO8S-Kdt6XaEX8pOf3E3qr5drtn88O0nrZSGU4YixqlSYhk8rABlLlbmRpsfKUmv2SrdVBc\/s1600\/Screenshot%25202026-04-24%2520110138%2520%25281%2529.webp?ssl=1\")
STA1 Network Spoofer<\/strong><\/h2>\n
![\"Network](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhES2gv7arjI1aLehaXNh5b9_bNh3AVVzBgQcyY2giJjhZhHqHWSkDu1OXMka7Ve63c3oGwaV4kStQEB5WTbEBtHCZSgdXAXy2Y7UNSaUtSWCDAz83fh56F0k6to_X02qhrJM_O8p9kPkh5TavDJfKffYCZp6W2fKHySIene7NnqzK7-ODYS75tcHQDLB8\/s1600\/Screenshot%25202026-04-24%2520110331%2520%25281%2529.webp?ssl=1\")