Star Blizzard, a Russian-linked cyber threat group also known as SEABORGIUM, has recently shifted tactics with a spear-phishing campaign targeting WhatsApp accounts. This marks a departure from its long-established tradecraft, which previously focused on credential harvesting through phishing emails and Evilginx-powered pages. The new campaign, detected by Microsoft’s Threat Intelligence team, is believed to be an attempt to evade detection following prior exposure of the group’s activities. Star Blizzard has a long history of targeting government officials, diplomats, and defense policy experts, particularly those with ties to Russia or involvement in the Ukraine conflict.
The targets of this new campaign are primarily individuals from the government and diplomatic sectors
The targets of this new campaign are primarily individuals from the government and diplomatic sectors, as well as researchers in defense policy and international relations. The group also focuses on those providing assistance to Ukraine in the context of the ongoing war with Russia. The spear-phishing emails typically appear to come from legitimate sources, such as U.S. government officials, lending them an air of authenticity to increase the chances of the victim engaging with the message. These emails contain a QR code that invites recipients to join a WhatsApp group, which, when followed, redirects the victim to a malicious website.
Once on the site, the victim is prompted to scan a QR code that appears to link them to the WhatsApp group, but in reality, it is designed to connect the victim’s account to an attacker’s device. This enables Star Blizzard to gain unauthorized access to the victim’s WhatsApp messages and even exfiltrate data through browser add-ons. The campaign appears to have been limited in scope, with reports indicating that it wound down by the end of November 2024. However, Microsoft and the U.S. Department of Justice’s previous actions against the group, including seizing over 180 domains, likely forced the group to adapt its methods.
Star Blizzard has long been known for using various tactics to obscure the true origin of its attacks. In previous operations, the group relied on platforms like ProtonMail, HubSpot, and MailerLite to disguise its email infrastructure, avoiding the need for actor-controlled domains. Despite its ongoing success in credential harvesting, the change in approach—targeting WhatsApp rather than email—signals the group’s persistence in adapting its strategies to continue its cyber-espionage activities. Experts continue to warn individuals in government, diplomacy, and defense sectors to exercise caution when handling suspicious emails containing links to external sources or QR codes.