
Microsoft Threat Intelligence has uncovered a new spear-phishing campaign by Russian threat actor Star Blizzard, marking a significant shift from their traditional attack methods. The group, previously known as SEABORGIUM, has been active since 2012 and is targeting WhatsApp accounts of high-profile individuals.
Target Profile:
– Government officials and diplomats
– Defense policy experts
– International relations researchers focusing on Russia
– Organizations providing assistance to Ukraine
Attack Methodology:
1. Initial Contact: Attackers send spear-phishing emails impersonating U.S. government officials
2. QR Code Deception: Emails contain deliberately broken QR codes claiming to link to Ukraine NGO support groups
3. Secondary Attack: When victims report the broken code, attackers send a shortened t.ly link
4. Credential Theft: The link redirects to a fake page (aerofluidthermo.org) with a QR code that connects to WhatsApp Web
5. Account Compromise: Scanning the QR code grants attackers unauthorized access to victims’ WhatsApp accounts
This tactical shift follows Microsoft and the U.S. Department of Justice’s recent seizure of over 180 domains used by Star Blizzard between January 2023 and August 2024. The campaign, which concluded in November 2024, demonstrates the group’s adaptability in response to enforcement actions.
Security experts advise heightened vigilance when handling emails containing external links, particularly for individuals working in targeted sectors.