It doesn't need "super-spyware"...
Sure, Signal may be pretty secure in its transport, and it is usually easier to compromise one of the endpoints than to attack Signal itself. That is why security-conscious people would at least use a locked-down, dedicated device for such adventures.
However, seeing this whole dumpster fire of security blunders, do you really believe that the "personal device" Hegseth is using on that unsecured line is really protected? To me he seems like the guy who would double-click any attachment named "cute_kitten_videos" and disables the AV because it interferes with his ability to install cracked games.
He probably airdropped a .txt file containing the sensitive info onto his laptop so that he could copy and paste whatever he wanted to brag about to his wife and his hairdresser. And since Hegseth didn't make the one mistake yet that could endanger his job – making Trump look bad in such a way that even Trump notices – this will likely not be the last of these blunders. Only now just about every bad guy on the planet is trying to find out the IP address of his private insecure line or his iCloud username.