{ "id": "f0fc60ba-d47c-4322-ac9e-8e717df84445", "created_at": "2026-04-06T00:12:00.425081Z", "updated_at": "2026-04-10T03:34:43.797587Z", "deleted_at": null, "sha1_hash": "30a65e451d50f9aeb0fb79c99564643ca19af4cc", "title": "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 533507, "plain_text": "New Star Blizzard spear-phishing campaign targets WhatsApp\r\naccounts\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-01-16 · Archived: 2026-04-05 23:36:54 UTC\r\nIn mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard\r\nsending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a\r\nWhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics,\r\ntechniques, and procedures (TTPs) to leverage a new access vector. Star Blizzard’s targets are most commonly\r\nrelated to government or diplomacy (both incumbent and former position holders), defense policy or international\r\nrelations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with\r\nRussia.\r\nIn our last blog post about Star Blizzard, we discussed how the threat actor targeted dozens of civil society\r\norganizations—journalists, think tanks, and non-governmental organizations (NGOs)—between January 2023 and\r\nAugust 2024 by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their\r\nactivities. Since October 3, 2024, Microsoft and the US Department of Justice have seized or taken down more\r\nthan 180 websites related to that activity. While this coordinated action had a short-term impact on Star Blizzard’s\r\nphishing operations, we noted at the time that after this threat actor’s active infrastructure was exposed, they\r\nswiftly transitioned to new domains to continue their operations, indicating that the threat actor is highly resilient\r\nto operational disruptions.\r\nWe assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of\r\ntheir TTPs by Microsoft Threat Intelligence and other organizations, including national cybersecurity agencies.\r\nWhile this campaign appears to have wound down at the end of November, we are highlighting the new shift as a\r\nsign that the threat actor could be seeking to change its TTPs in order to evade detection.\r\nAs part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our\r\ninformation on Star Blizzard’s latest activity to raise awareness of this threat actor’s shift in tradecraft and to\r\neducate organizations on how to harden their attack surfaces against this and similar activity. We also directly\r\nnotify customers who have been targeted or compromised, providing them with the necessary information to help\r\nsecure their environments.\r\nTargeting WhatsApp account data\r\nStar Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time,\r\nexhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their\r\ntargets, to engage them, before sending them a second message containing a malicious link. The sender address\r\nused by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s\r\npractice of impersonating known political/diplomatic figures, to further ensure target engagement. The initial\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 1 of 8\n\nemail sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on\r\n“the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” This code, however, is intentionally\r\nbroken and will not direct the user towards any valid domain; this is an effort to coax the target recipient into\r\nresponding.\r\nFigure 1. Star Blizzard initial spear-phishing email with broken QR code\r\nWhen the recipient responds, Star Blizzard sends a second email containing a Safe Links-wrapped t[.]ly shortened\r\nlink as the alternative link to join the WhatsApp group.\r\nFigure 2. Star Blizzard follow-on spear-phishing email with URL link\r\nWhen this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group.\r\nHowever, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the\r\nWhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor can gain\r\naccess to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing\r\nbrowser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp\r\nWeb.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 2 of 8\n\nFigure 3. Malicious Star Blizzard phish attempt using WhatsApp linking QR code\r\nWhile this campaign was limited and appeared to have terminated at the end of November, it nevertheless marked\r\na break in long-standing Star Blizzard TTPs and highlighted the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of their\r\noperations.\r\nMicrosoft Threat Intelligence recommends that all email users belonging to sectors that Star Blizzard typically\r\ntargets always remain vigilant when dealing with email, especially emails containing links to external resources.\r\nThese targets are most commonly related to:\r\nGovernment or diplomacy (incumbent and former position holders)\r\nResearch into defense policy or international relations when related to Russia\r\nAssistance to Ukraine related to the ongoing conflict with Russia\r\nWhen in doubt, contact the person you think is sending the email using a known and previously used email\r\naddress to verify that the email was indeed sent by them.\r\nMitigations\r\nTo harden networks against the Star Blizzard activity listed above, defenders can implement the following:\r\nImplement Microsoft Defender for Endpoint on Android and iOS, which includes anti-phishing capabilities\r\nthat also apply to QR code phishing attacks, blocking phishing sites from being accessed. \r\nEnable network protection in Microsoft Defender for Endpoint\r\nEnsure that tamper protection is enabled in Microsoft Defender for Endpoint\r\nRun endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block\r\nmalicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft\r\nDefender Antivirus is running in passive mode.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 3 of 8\n\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nTurn on PUA protection in block mode in Microsoft Defender Antivirus\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques.\r\nTurn on Microsoft Defender Antivirus real-time protection.\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that host malware.\r\nTurn on Safe Links and Safe Attachments for Office 365.\r\nUse the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing\r\nand password attack campaigns. Utilize the QR code payload in attack simulation training scenarios to\r\nmirror Star Blizzard’s and other threat actor’s QR code spear-phishing techniques.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender for Endpoint\r\nThe following alerts might indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nStar Blizzard activity group\r\nHunting queries\r\nMicrosoft Defender XDR\r\nSurface events that may have communicated with the Star Blizzard C2s. \r\nlet domainList = dynamic([\"civilstructgeo.org\", \"aerofluidthermo.org\"]);\r\nunion\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 4 of 8\n\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\n| project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks =\r\nparse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\n| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames),\r\nSourceTable = \"VMConnection\"\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 5 of 8\n\n),\r\n(\r\nW3CIISLog\r\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\n| where UrlDomain has_any(domainList)\r\n| project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n)\r\n| order by TimeGenerated desc\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nWhile the below queries are not linked to any specific threat actor, they are effective in detecting potential\r\nphishing attempts. Implementing these queries can help you stay vigilant and safeguard your organization from\r\nphishing attacks\r\nDelivered Bad Emails from Top bad IPv4 addresses\r\nPhishing Link Execution Observed\r\nSuccessful Signin from Phishing Link\r\nSuspicious URL Clicked\r\nEmail Delivered to Inbox\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 6 of 8\n\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\npre-built promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated\r\nthreats found in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nStar Blizzard adopting PDF-less approach to spearphishing\r\nStar Blizzard spearphishing campaign targets US think tanks\r\nDisrupting Star Blizzard’s ongoing phishing operations\r\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the\r\nMicrosoft Defender portal to get more information about this threat actor.\r\nIndicators of compromise\r\nIndicator Type Last seen\r\ncivilstructgeo[.]org Domain October 2024\r\naerofluidthermo[.]org Domain October 2024\r\nReferences\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a\r\nLearn more\r\nFor further information on the threats detailed in this blog post, refer to these additional Microsoft blogs:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 7 of 8\n\nProtecting Democratic Institutions from Cyber Threats\r\nStar Blizzard increases sophistication and evasion in ongoing attacks\r\nDisrupting SEABORGIUM’s ongoing phishing operations\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/" ], "report_names": [ "new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434320, "ts_updated_at": 1775792083, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30a65e451d50f9aeb0fb79c99564643ca19af4cc.pdf", "text": "https://archive.orkl.eu/30a65e451d50f9aeb0fb79c99564643ca19af4cc.txt", "img": "https://archive.orkl.eu/30a65e451d50f9aeb0fb79c99564643ca19af4cc.jpg" } }