A Russian threat known as Star Blizzard has been linked to a new phishing campaign targeting victims’ WhatsApp accounts, marking a move away from its long-time trade in a likely attempt to avoid detection.
“Star Blizzard’s targets are most often associated with government or diplomacy (both current and former), defense policy or international relations researchers whose work affects Russia, and sources of aid to Ukraine linked to the war with Russia,” Microsoft Threat. The intelligence group reported in a the report shared with The Hacker News.
Star Blizzard (formerly SEABORGIUM) is a Russian-linked threat group of course for their harvesting campaigns. Active since at least 2012, it is also tracked under the aliases Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.
Chains of attacks have been observed before involved sending phishing emails to entities of interest, usually from a Proton account, attaching documents with embedded malicious links that redirect to an Evilginx page capable of harvesting credentials and two-factor authentication (2FA) codes via an adversary in-the-middle (AiTM ) attack.
Star Blizzard has also been linked to using email marketing platforms such as HubSpot and MailerLite to hide the true addresses of email senders and eliminate the need to include an actor-controlled domain infrastructure in email messages.
Late last year, Microsoft and the US Department of Justice (DoJ) announced seizure of more than 180 domains used by the threat actor to attack journalists, think tanks and non-governmental organizations (NGOs) between January 2023 and August 2024.
The tech giant estimated that the public disclosure of its activities may have forced the hacking team to change its tactics by compromising WhatsApp accounts. However, the campaign appears to have been limited and folded at the end of November 2024.
“The targets are primarily in the government and diplomatic sectors, including both current and former officials,” Sherrod Degrippa, director of threat intelligence strategy at Microsoft, told The Hacker News.
“In addition, targets include defense policymakers, international relations researchers who focus on Russia, and those who provide assistance to Ukraine in connection with the war with Russia.”
It all starts with a phishing email that purports to be from a US government official to give it the appearance of legitimacy and increase the likelihood that the victim will engage with it.
The message contains a quick response (QR) code urging recipients to join a purported WhatsApp group on “the latest non-governmental initiatives aimed at supporting non-governmental organizations in Ukraine.” The code, however, is deliberately broken to trigger a response from the victim.
When the recipient of the email replies, Star Blizzard sends a second message asking them to click on a (.)shortened link to join the WhatsApp group, apologizing for the inconvenience.
“When clicking on this link, the target is redirected to a web page asking them to scan a QR code to join the group,” Microsoft explained. “However, this QR code is actually used by WhatsApp to connect the account to a connected device and/or the WhatsApp Web Portal”.
In case the target follows the instructions on the site (“aerofluidthermo(.)org”), this approach allows the threat actor to gain unauthorized access to their WhatsApp messages and even steal data through browser add-ons.
Individuals in the sectors targeted by Star Blizzard are advised to exercise caution when handling e-mails that link to external sources.
The company “marks a break in Star Blizzard’s longstanding TTPs and highlights the threat actor’s persistence in continuing phishing campaigns to gain access to sensitive information even in the face of repeated degradation.”
