Blizzard, a Russian star, launches a new spear-phishing campaign that targets WhatsApp accounts.

In an apparent attempt to avoid detection, the Russian threat actor Star Blizzard has been connected to a new spear-phishing campaign that targets victims' WhatsApp accounts, deviating from its usual tactics.

The Microsoft Threat Intelligence team stated in a report shared with The Hacker News that "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia."

Known for its credential harvesting campaigns, Star Blizzard (formerly SEABORGIUM) is a threat activity cluster associated with Russia. It has been in operation since at least 2012 and is also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (sometimes spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.

By infecting WhatsApp accounts, the hacker team may have changed its strategy once the internet giant's operations were made public. The effort, however, seems to have been restricted and ended at the end of November 2024.

According to Sherrod DeGrippo, Microsoft's director of threat intelligence strategy, "the targets primarily belong to the government and diplomacy sectors, including both current and former officials," as reported by Computer News.

"Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those assisting Ukraine about the war with Russia."

A spear-phishing email posing as a representative of the US government is the first step in giving it an air of authenticity and increasing the likelihood that the victim would engage with them.

The quick response (QR) code in the message encourages readers to join a purported WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." However, the code is purposefully broken to elicit a reaction from the victim.

If the email recipient responds, Star Blizzard apologizes for any inconvenience and asks them to click on a t[.]ly shortened link to join the WhatsApp group.

"When this link is followed, the target is redirected to a web page asking them to scan a QR code to join the group," Microsoft clarified. "However, this QR code is used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal."

Following the instructions on the website ("aerofluidthermo[.]org") enables the threat actor to access the target's WhatsApp messages without authorization and even exfiltrate the data using browser add-ons.

People who work in industries that Star Blizzard targets are cautioned to be cautious when responding to emails that contain links to outside websites.

The effort "marks a break in long-standing Star Blizzard TTPs and highlights the threat actor's tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations."