A notorious Russian threat actor known as Star Blizzard has launched a new spear-phishing campaign aimed at compromising WhatsApp accounts. This shift in tactics signals an evolution in their attack strategies, likely to evade detection and bypass traditional security measures.
Who Is Star Blizzard?
Star Blizzard, previously known as SEABORGIUM, is a well-documented Russia-linked cyber espionage group specializing in credential harvesting. Active since at least 2012, the group operates under several aliases, including Blue Callisto, BlueCharlie (TAG-53), Calisto, COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.
Historically, their attacks have relied on sending spear-phishing emails embedded with malicious links that lead to Evilginx-powered credential harvesting sites. These sites enable the theft of login details and two-factor authentication (2FA) codes using adversary-in-the-middle (AiTM) techniques.
Who Are the Targets?
According to Microsoft Threat Intelligence, Star Blizzard primarily targets:
Government officials (current and former)
Diplomatic personnel
Defense policy experts
International relations researchers focused on Russia
Individuals assisting Ukraine amid the ongoing war
New Attack Method: WhatsApp Account Hijacking
The latest phishing campaign deviates from Star Blizzard’s traditional email-focused tactics by attempting to compromise WhatsApp accounts. This shift follows recent crackdowns by Microsoft and the U.S. Department of Justice, which resulted in the seizure of over 180 domains used by the group between January 2023 and August 2024.
The attack begins with a phishing email posing as a U.S. government official, designed to appear credible and lure the victim into engagement.
The email contains a Quick Response (QR) code, supposedly inviting recipients to join a WhatsApp group focused on Ukraine-related non-governmental initiatives.
However, the QR code is intentionally broken, prompting victims to respond for assistance.
When a victim replies, the attackers send a t[.]ly-shortened link, claiming it will direct them to the correct WhatsApp group.
Clicking the link leads to a fake webpage, instructing the victim to scan another QR code.
This malicious QR code is actually used to link the victim’s WhatsApp account to the attacker’s device, granting unauthorized access to messages and sensitive data.
What Happens If You Fall for the Scam?
Once the victim scans the malicious QR code on the fake website (aerofluidthermo[.]org), the attacker can:
Gain full control over WhatsApp messages
Monitor conversations in real-time
Exfiltrate data using browser add-ons
How to Stay Safe from Star Blizzard’s Attacks
If you belong to a high-risk sector (government, diplomacy, cybersecurity, journalism, or NGO work), take the following precautions:
Beware of unsolicited emails—especially those containing QR codes or links to external sources.
Verify sender identities before engaging in any conversations.
Never scan QR codes from unknown sources—always confirm their legitimacy.
Enable WhatsApp security features such as two-step verification.
Monitor linked devices in WhatsApp settings and remove unknown sessions.
Report suspicious messages to security teams and authorities.
Conclusion
This latest spear-phishing campaign by Star Blizzard highlights the group’s adaptability and persistence in targeting high-profile individuals. By leveraging WhatsApp hijacking, the attackers are attempting to bypass traditional defenses and infiltrate sensitive communications. As cyber threats continue to evolve, staying vigilant against phishing tactics is crucial to safeguarding personal and organizational security.