Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing Campaign
Summary:
The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection. Active since at least 2012, Star Blizzard has also operated under various aliases, including Blue Callisto, BlueCharlie (TAG-53), and TA446. Historically, its campaigns have focused on credential harvesting, often involving spear-phishing emails sent from Proton accounts. These emails typically contain malicious links that lead to Evilginx-powered pages, designed to steal credentials and two-factor authentication (2FA) codes through an adversary-in-the-middle (AiTM) attack. The group has also used email marketing platforms like HubSpot and MailerLite to mask the true origin of their emails, bypassing the need for actor-controlled domains.
Security Officer Comments:
Microsoft suggests that public disclosure of its activities may have prompted a shift in tactics employed by Star Blizzard, which began compromising WhatsApp accounts in late 2024. However, this campaign appears to have been limited, dying down by the end of November. Targets of the latest campaign have been primarily individuals in government and diplomatic sectors, including current and former officials, defense policy experts, researchers focused on Russia, and those aiding Ukraine in the ongoing conflict with Russia.
The attack chain observed by Microsoft initiates with a spear-phishing email impersonating a U.S. government official to increase credibility and entice victims. Included in the email is a QR code urging recipients to join a WhatsApp group to discuss "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." The QR code in this case is intentionally broken, prompting victims to respond and engage with the attacker.
When the recipient responds, Star Blizzard sends a follow-up email containing a Safe Links-wrapped t[.]ly shortened link to join the WhatsApp group. Clicking the link redirects the target to a page prompting them to scan a QR code to join the group. However, the QR code is designed to connect the target’s WhatsApp account to the attacker’s device or the WhatsApp Web portal. If the victim follows the instructions, the attacker gains access to the victim’s WhatsApp messages and can exfiltrate this data using browser plugins designed to export WhatsApp messages from accounts accessed via the WhatsApp Web portal.
Suggested Corrections:
Recommendations from Microsoft:
https://thehackernews.com/2025/01/russian-star-blizzard-shifts-tactics-to.html
The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection. Active since at least 2012, Star Blizzard has also operated under various aliases, including Blue Callisto, BlueCharlie (TAG-53), and TA446. Historically, its campaigns have focused on credential harvesting, often involving spear-phishing emails sent from Proton accounts. These emails typically contain malicious links that lead to Evilginx-powered pages, designed to steal credentials and two-factor authentication (2FA) codes through an adversary-in-the-middle (AiTM) attack. The group has also used email marketing platforms like HubSpot and MailerLite to mask the true origin of their emails, bypassing the need for actor-controlled domains.
Security Officer Comments:
Microsoft suggests that public disclosure of its activities may have prompted a shift in tactics employed by Star Blizzard, which began compromising WhatsApp accounts in late 2024. However, this campaign appears to have been limited, dying down by the end of November. Targets of the latest campaign have been primarily individuals in government and diplomatic sectors, including current and former officials, defense policy experts, researchers focused on Russia, and those aiding Ukraine in the ongoing conflict with Russia.
The attack chain observed by Microsoft initiates with a spear-phishing email impersonating a U.S. government official to increase credibility and entice victims. Included in the email is a QR code urging recipients to join a WhatsApp group to discuss "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." The QR code in this case is intentionally broken, prompting victims to respond and engage with the attacker.
When the recipient responds, Star Blizzard sends a follow-up email containing a Safe Links-wrapped t[.]ly shortened link to join the WhatsApp group. Clicking the link redirects the target to a page prompting them to scan a QR code to join the group. However, the QR code is designed to connect the target’s WhatsApp account to the attacker’s device or the WhatsApp Web portal. If the victim follows the instructions, the attacker gains access to the victim’s WhatsApp messages and can exfiltrate this data using browser plugins designed to export WhatsApp messages from accounts accessed via the WhatsApp Web portal.
Suggested Corrections:
Recommendations from Microsoft:
- Implement Microsoft Defender for Endpoint on Android and iOS, which includes anti-phishing capabilities that also apply to QR code phishing attacks, blocking phishing sites from being accessed.
- Enable network protection in Microsoft Defender for Endpoint
- Ensure that tamper protection is enabled in Microsoft Dender for Endpoint
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Turn on PUA protection in block mode in Microsoft Defender Antivirus
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
- Turn on Microsoft Defender Antivirus real-time protection.
- Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
- Turn on Safe Links and Safe Attachments for Office 365.
- Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Utilize the QR code payload in attack simulation training scenarios to mirror Star Blizzard’s and other threat actor’s QR code spear-phishing techniques.
https://thehackernews.com/2025/01/russian-star-blizzard-shifts-tactics-to.html