Star Blizzard, a Russian cyber threat group, has been linked to a new spear-phishing campaign targeting WhatsApp accounts. This campaign, first discovered in mid-November 2024, appears to be an attempt to evade detection following the recent exposure of the group’s tactics, techniques, and procedures.
An analysis by Microsoft Threat Intelligence says that the operation targets people working in international relations, military policy, diplomacy, government, and organisations providing aid to Ukraine. This strategic change shows how Star Blizzard is always changing its tactics to take advantage of new vulnerabilities.
A Russian-affiliated threat group that has been operating since at least 2012, Star Blizzard (previously SEABORGIUM) is well-known for its credential-harvesting operations. The group uses spear-phishing emails to target journalists, non-governmental organisations, and think tanks. TA446, the group employs spear-phishing emails to target journalists, NGOs, and think tanks.
According to Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy:
The targets primarily belong to the government and diplomacy sectors, including both current and former officials. Additionally, the targets encompass individuals involved in defence policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia.
Star Blizzard’s WhatsApp QR Code Phishing Tactic
Attackers frequently use ProtonMail to deliver malicious links leading to phishing websites powered by Evilginx, employing adversary-in-the-middle (AiTM) tactics to steal passwords and two-factor authentication (2FA) tokens.
Moreover, they have bypassed actor-controlled domains and obscured sender addresses by exploiting email marketing tools such as HubSpot and MailerLite.
The U.S. Department of Justice and Microsoft seized more than 180 domains used by the group in activities from January 2023 to August 2024 in late 2024.
Threat actors are using fake emails to trick recipients by impersonating US government representatives. Usually, these emails contain a fake request to join a WhatsApp group associated with pro-Ukrainian nonprofit organisations. Notably, the emails feature a broken QR code, compelling recipients to reply and request a functional one.
Following a response from the target, Star Blizzard sent a shortened link that redirected to the WhatsApp group. This link directed victims to a webpage containing another QR code, which they were asked to scan to join the group.
The victims had no idea that the second QR code was not for the group. Instead, it connected their WhatsApp accounts to the WhatsApp Web site, which is an authorised function that allows users to access their accounts from a computer.
The victims unknowingly provided Star Blizzard complete access to their WhatsApp accounts by scanning the code. Using browser plugins, the attackers took advantage of this access to read messages and steal data.
This strategy enables hackers to make further interactions. Experts believe that the group may have shifted to hacking WhatsApp accounts due to the public exposure of their prior operations. However, the campaign seems to have been short-lived, ending in November 2024.
Microsoft advised email users to be cautious when they receive emails with links to other resources, especially those in industries that Star Blizzard usually targets. To enhance security, regularly review the devices linked to your WhatsApp account and log out of any unknown or unused devices.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
