Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0602: Circles

Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.[1]

MobileS0602MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Circles matters because it represents a mobile surveillance capability operating through telecommunications signaling weaknesses rather than a normal endpoint compromise path. For executives and security leaders, the key risk is that location, voice, and SMS confidentiality may depend on carrier signaling controls and telecom provider assurance, not only on enterprise mobile device management or endpoint monitoring.

Executive priority

Treat this as a third-party and telecom dependency risk. Organizations with high-risk personnel, sensitive negotiations, regulated communications, or executive travel should ask whether mobile communications and SMS-based workflows are resilient if carrier signaling is abused. Priority decisions include reducing reliance on SMS for sensitive authentication or communications, validating telecom/provider assurance where possible, and ensuring incident response plans include mobile number, carrier, and communications-compromise scenarios.

Technical view

MITRE provides no detection text and no platform list for the Circles software object. The relationship context links Circles to Impersonate SS7 Nodes, a mobile technique involving impersonation of signaling network nodes to query subscriber information and track devices. SOC and IR teams should therefore avoid assuming endpoint telemetry will be sufficient. Validation should focus on whether the organization can obtain relevant carrier or telecom signaling evidence, correlate suspicious SMS/voice/location anomalies with high-risk users, and escalate cases where mobile communications may have been intercepted or location-tracked outside enterprise-controlled infrastructure.

Likely telemetry

  • Carrier or telecommunications provider signaling records where available
  • Mobile account, SIM, number, and carrier support case history
  • SMS delivery, voice call, and roaming/location anomaly records where available
  • Identity logs for systems still relying on SMS-based authentication
  • Executive protection, travel, and high-risk user incident notes correlated with mobile communications anomalies

Detection direction

  • Confirm whether any detection responsibility is internal, carrier-managed, or unavailable; ATT&CK provides no official detection guidance for this object.
  • Do not rely solely on MDM, EDR, or device logs, because the described behavior is tied to SS7 signaling weaknesses and telecom infrastructure or cloud-service access.
  • Tune investigations around high-value users and sensitive workflows where unusual SMS behavior, call interception concerns, or location exposure would materially change incident decisions.
  • Use the related Impersonate SS7 Nodes context to ask carriers what signaling-abuse monitoring, alerting, and evidence retention they can provide.
  • Account for false positives and ambiguity: roaming, carrier outages, number changes, SIM support events, and messaging delays can mimic parts of the user-facing symptoms.

Mitigation priorities

  • Reduce business dependence on SMS for high-assurance authentication and sensitive communications where feasible.
  • For high-risk personnel, define secure communications procedures that do not assume voice calls or SMS are confidential.
  • Engage mobile carriers or telecom providers on SS7/signaling security assurance, abuse reporting paths, and evidence retention expectations.
  • Include mobile communications interception and location-tracking scenarios in incident response playbooks, especially for executives and sensitive operations.
  • Document compensating controls and provider dependencies for compliance, risk acceptance, and executive protection programs.
Analyst notes and limits

The supplied ATT&CK object describes Circles as reportedly using SS7 weaknesses to track mobile devices and intercept voice calls and SMS, with possible deployment through telecom infrastructure or as a cloud service. It is reportedly linked to NSO Group in the cited Citizen Lab reporting. The only provided relationship is to T1430.002 Impersonate SS7 Nodes, which gives the strongest technical context for defensive planning.

ATT&CK provides no official detection text, no tactics, and no platform list for the Circles malware object. The related technique lists Android and iOS, but the malware object itself does not specify platforms. Local carrier visibility, provider cooperation, user risk profile, and communications architecture are required to determine practical coverage.

Official MITRE ATT&CK definition

Circles

Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1430.002 Impersonate SS7 Nodes Sub-technique

Circles can track the location of mobile devices.CitationCitizenLab Circles
Relationship explorer

All related ATT&CK context

uses · Technique T1430.002: Impersonate SS7 Nodes Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0cbc479f3a650099...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0cbc479f3a65…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CitizenLab Circles

    Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.

    Open source URL
  2. [2]
    mitre-attack S0602
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use