The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims’ WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection.
“Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.
Star Blizzard (formerly SEABORGIUM) is a Russia-linked threat activity cluster known for its credential harvesting campaigns. Active since at least 2012, it’s also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.
Previously observed attack chains have involved sending spear-phishing emails to targets of interest, usually from a Proton account, attaching documents embedding malicious links that redirect to an Evilginx-powered page that’s capable of harvesting credentials and two-factor authentication (2FA) codes via an adversary-in-the-middle (AiTM) attack.
Star Blizzard has also been linked to the use of email marketing platforms like HubSpot and MailerLite to conceal the true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages.
Late last year, Microsoft and the U.S. Department of Justice (DoJ) announced the seizure of more than 180 domains that were used by the threat actor to target journalists, think tanks, and non-governmental organizations (NGOs) between January 2023 and August 2024.
The tech giant assessed public disclosure into its activities may have likely prompted the hacking crew to switch up its tactics by compromising WhatsApp accounts. That said, the campaign appears to have been limited and wound down at the end of November 2024.
“The targets primarily belong to the government and diplomacy sectors, including both current and former officials,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told The Hacker News.
“Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia.”
It all starts with a spear-phishing email that purports to be from a U.S. government official to lend it a veneer of legitimacy and increase the likelihood that the victim would engage with them.
The message contains a quick response (QR) code that urges the recipients to join a supposed WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” The code, however, is deliberately broken so as to trigger a response from the victim.
Should the email recipient reply, Star Blizzard sends a second message, asking them to click on a t[.]ly shortened link to join the WhatsApp group, while apologizing for the inconvenience caused.
“When this link is followed, the target is redirected to a web page asking them to scan a QR code to join the group,” Microsoft explained. “However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.”
In the event the target follows the instructions on the site (“aerofluidthermo[.]org”), the approach allows the threat actor to gain unauthorized access to their WhatsApp messages and even exfiltrate the data via browser add-ons.
Individuals who belonging to sectors targeted by Star Blizzard are advised to exercise caution when it comes to handling emails containing links to external sources.
The campaign “marks a break in long-standing Star Blizzard TTPs and highlights the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations.”
