Introduction
In mid-November 2024 [1] [2] [4] [5] [7] [9] [10] [11], the Russian nation-state group known as Star Blizzard [2] [6], also referred to as Coldriver, Callisto [1] [9], Seaborgium [1], and TA446 [1], initiated a novel phishing campaign targeting WhatsApp accounts. This marked a significant shift in their tactics [6], traditionally focused on spear-phishing campaigns against government officials [5], diplomats [3] [4] [5], and civil society sectors [5]. The campaign followed a law enforcement takedown of numerous domains used by the group [10].
Description
Russian nation-state group Star Blizzard [5] [8] [10], also known as Coldriver [10], Callisto [1] [9], Seaborgium [1], and TA446 [1], has significantly shifted its tactics to exploit WhatsApp accounts through a novel phishing campaign that began in mid-November 2024 [5]. Historically focused on spear-phishing campaigns targeting government officials [5], diplomats [3] [4] [5], and civil society sectors [5], Star Blizzard now employs sophisticated methods to compromise WhatsApp as an attack vector. This change follows a law enforcement takedown of nearly 70 domains used by the group [10], including over 100 websites [10], in October 2024 [10].
The campaign initiated with emails impersonating a senior US government official discussing initiatives to support NGOs assisting Ukraine. These emails contained a broken QR code that misled recipients into replying [5] [10]. Upon receiving a response [3] [5], the group sent a follow-up email featuring a shortened link disguised as a secure “Safe Links” format. Clicking this link directed victims to a phishing webpage that prompted them to scan another QR code [5], exploiting WhatsApp’s device-linking feature [5]. This process allowed the attackers to gain unauthorized access to victims’ messages and exfiltrate sensitive data [5], posing a significant risk to US national security [3].
The phishing webpage appeared legitimate [5], instructing victims on how to link their devices, but ultimately facilitated the attackers’ access to private communications [5]. Although the campaign reportedly concluded by the end of November 2024 [5], it reflects an evolution in Star Blizzard’s tactics and their ongoing focus on high-value targets [5], including current and former government officials [5], defense policy experts [2] [5], and organizations assisting Ukraine amid the conflict [2] [5] [8]. The group has also previously targeted journalists [5], think tanks [1] [5], and NGOs [5].
Microsoft Threat Intelligence has noted that Star Blizzard has been active since at least 2015, primarily targeting high-profile individuals and organizations [9], particularly those supporting Ukraine [9], including military personnel and think tanks in NATO countries, as well as the Baltics [1], Nordics [1], and Eastern Europe [1]. The tech giant has advised individuals in specific roles, including government officials and defense policy researchers [2], to remain vigilant against such phishing attempts [10], particularly those linking to external networks. This development underscores the group’s resilience and ability to continue operations despite previous setbacks [10], highlighting its ongoing efforts to access sensitive data through evolving spear-phishing tactics [1]. Continuous monitoring and awareness are essential as cyberwarfare tactics evolve [5], emphasizing the need for organizations to adopt proactive defense strategies and collaborate to mitigate these persistent threats effectively.
Conclusion
The recent campaign by Star Blizzard underscores the evolving nature of cyber threats and the persistent risk they pose to national security. The group’s ability to adapt its tactics, even after significant setbacks, highlights the importance of continuous vigilance and proactive defense strategies. Organizations [5] [8] [9] [11], particularly those in high-risk sectors, must remain alert to such threats and collaborate to enhance their cybersecurity measures. As cyberwarfare tactics continue to evolve, ongoing monitoring and awareness are crucial to effectively mitigate these persistent threats.
References
[1] https://securityaffairs.com/173165/apt/russia-star-blizzard-targets-whatsapp-accounts.html
[2] https://cyberscoop.com/star-blizzard-fsb-whatsapp-microsoft-threat-intel/
[3] https://www.neowin.net/news/how-star-blizzard-tried-to-hack-the-whatsapp-accounts-of-government-and-diplomatic-staff/
[4] https://www.techradar.com/pro/security/russian-criminal-gang-star-blizzard-found-hitting-whatsapp-accounts
[5] https://gbhackers.com/exploit-whatsapp-accounts-using-qr-codes/
[6] https://www.forbes.com/sites/daveywinder/2025/01/18/whatsapp-users-warned-as-broken-link-account-hackers-strike/
[7] https://www.computerweekly.com/news/366618232/Russias-Star-Blizzard-pivots-to-WhatsApp-in-spear-phishing-campaign
[8] https://www.yahoo.com/news/russian-hackers-target-whatsapp-tactic-052516225.html
[9] https://thecyberexpress.com/russian-star-blizzard-after-whatsapp-data/
[10] https://www.infosecurity-magazine.com/news/star-blizzard-whatsapp-new-campaign/
[11] https://www.helpnetsecurity.com/2025/01/17/star-blizzard-whatsapp-phishing-ngos/
