Spear Phishing Campaign by Russian Star Blizzard Targets WhatsApp Accounts

The Star Blizzard, a Russian threat actor, has changed its usual methods to avoid detection by launching a new spear-phishing campaign that targets WhatsApp accounts.

“Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia,” the Microsoft Threat Intelligence team said in a report shared with The Nohack.

A threat activity cluster associated with Russia, Star Blizzard (previously SEABORGIUM) is well-known for its credential harvesting efforts. It has also been tracked under the following names: Blue Callisto, BlueCharlie (or TAG-53), Calisto (often written Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. It has been active since at least 2012.

Sending spear-phishing emails to targets of interest, typically from a Proton account, and attaching documents with malicious links that reroute to an Evilginx-powered page that can harvest credentials and two-factor authentication (2FA) codes through an adversary-in-the-middle (AiTM) attack have been the methods used in previously documented attack chains.

To hide the real email sender addresses and avoid requiring actor-controlled domain infrastructure in email communications, Star Blizzard has also been connected to the use of email marketing tools such as HubSpot and MailerLite.

Microsoft and the U.S. Department of Justice (DoJ) stated late last year that they had taken over 180 domains that the threat actor had used to target non-governmental organizations (NGOs), think tanks, and journalists between January 2023 and August 2024.

According to the internet giant, the Nohack team may have changed their strategy by breaching WhatsApp accounts after the public disclosure of its operations. Nevertheless, it seems that the campaign was brief and ended at the end of November 2024.

Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, told The Nohack that the majority of the targets are from the government and diplomatic sectors, including both current and past personnel.

“Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those assisting Ukraine concerning the war with Russia.”

To give it a sense of legitimacy and make the victim more likely to interact with it, it begins with a spear-phishing email that seems like it was sent by a representative of the US government.

The quick response (QR) code in the message encourages readers to join a purported WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” However, the code is purposefully broken to elicit a reaction from the victim.

If the email recipient responds, Star Blizzard apologizes for any inconvenience and asks them to click on a shortened link to join the WhatsApp group.

“When this link is clicked on, the target is redirected to a website asking them to scan a QR code to join the group,” Microsoft clarified. “However, this QR code is used by WhatsApp to connect an account to a connected device and/or the WhatsApp Web portal.”

The strategy enables the threat actor to obtain unauthorized access to the victim’s WhatsApp chats and even exfiltrate the data via browser add-ons if the target complies with the instructions on the website.

People who work in industries that Star Blizzard targets are cautioned to be cautious when responding to emails that contain links to outside websites. The operation “marks a break in long-standing Star Blizzard TTPs and highlights the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations.”