{ "id": "1bc899f3-c54f-43a3-892c-b1d929b05353", "created_at": "2026-04-06T00:12:18.971888Z", "updated_at": "2026-04-10T03:35:41.745567Z", "deleted_at": null, "sha1_hash": "376d8ca8645a8cae8bf2f979e02a7d86ba3bc756", "title": "Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 176429, "plain_text": "Russian threat group COLDRIVER expands its targeting of\r\nWestern officials to include the use of malware\r\nBy Wesley Shields\r\nPublished: 2024-01-18 · Archived: 2026-04-02 12:34:25 UTC\r\nCOLDRIVER’s targeting of high profile individuals in NGOs, former intelligence and military officials and\r\nNATO governments is moving beyond credential phishing activities.\r\nOver the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057,\r\nStar Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile\r\nindividuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been\r\ncountering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian\r\ngovernment. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their\r\nextended capabilities which now includes the use of malware.\r\nCOLDRIVER continues its focus on credential phishing against Ukraine, NATO countries, academic institutions\r\nand NGOs. In order to gain the trust of targets, COLDRIVER often utilizes impersonation accounts, pretending to\r\nbe an expert in a particular field or somehow affiliated with the target. The impersonation account is then used to\r\nestablish a rapport with the target, increasing the likelihood of the phishing campaign's success, and eventually\r\nsends a phishing link or document containing a link. Recently published information on COLDRIVER highlights\r\nthe group's evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.\r\nRecently, TAG has observed COLDRIVER continue this evolution by going beyond phishing for credentials, to\r\ndelivering malware via campaigns using PDFs as lure documents. TAG has disrupted the following campaign by\r\nadding all known domains and hashes to Safe Browsing blocklists.\r\n“Encrypted” lure-based malware delivery\r\nAs far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from\r\nimpersonation accounts. COLDRIVER presents these documents as a new op-ed or other type of article that the\r\nhttps://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\r\nPage 1 of 4\n\nimpersonation account is looking to publish, asking for feedback from the target. When the user opens the benign\r\nPDF, the text appears encrypted.\r\nScreenshot of “encrypted” text in a lure document\r\nIf the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account\r\nresponds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use. This\r\ndecryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving\r\nCOLDRIVER access to the victim’s machine.\r\nIn 2015 and 2016, TAG observed COLDRIVER using the Scout implant that was leaked during the Hacking Team\r\nincident of July 2015. SPICA represents the first custom malware that we attribute being developed and used by\r\nCOLDRIVER.\r\nSPICA backdoor\r\nSPICA is written in Rust, and uses JSON over websockets for command and control (C2). It supports a number of\r\ncommands including:\r\nExecuting arbitrary shell commands\r\nStealing cookies from Chrome, Firefox, Opera and Edge\r\nUploading and downloading files\r\nPerusing the filesystem by listing the contents of it\r\nEnumerating documents and exfiltrating them in an archive\r\nThere is also a command called “telegram,” but the functionality of this command is unclear\r\nOnce executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the\r\nbackground, it establishes persistence and starts the main C2 loop, waiting for commands to execute.\r\nThe backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task\r\nnamed CalendarChecker:\r\nObfuscated PowerShell command\r\nTAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER’s use of the\r\nbackdoor goes back to at least November 2022. While TAG has observed four different variants of the initial\r\n“encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA. This sample, \r\nnamed “Proton-decrypter.exe”, used the C2 address 45.133.216[.]15:3000, and was likely active around August\r\nand September 2023.\r\nWe believe there may be multiple versions of the SPICA backdoor, each with a different embedded decoy\r\ndocument to match the lure document sent to targets.\r\nProtecting the community\r\nAs part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety\r\nand security of Google’s products. Upon discovery, all identified websites, domains and files are added to Safe\r\nhttps://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\r\nPage 2 of 4\n\nBrowsing to protect users from further exploitation. TAG also sends all targeted Gmail and Workspace users\r\ngovernment-backed attacker alerts notifying them of the activity and encourages potential targets to enable\r\nEnhanced Safe Browsing for Chrome and ensure that all devices are updated.\r\nWe are committed to sharing our findings with the security community to raise awareness, and with companies\r\nand individuals that might have been targeted by these activities. We hope that improved understanding of tactics\r\nand techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.\r\nIndicators of compromise (IoCs)\r\nHashes of observed lure documents “Encrypted” PDFs\r\nSHA256\r\n0f6b9d2ada67cebc8c0f03786c442c61c05cef5b92641ec4c1bdd8f5baeb2ee1\r\n(first observed November 2022)\r\nA949ec428116489f5e77cefc67fea475017e0f50d2289e17c3eb053072adcf24\r\n(first observed June 2023)\r\nC97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d\r\n(first observed August 2023)\r\nAc270310b5410e7430fe7e36a079525cd8724b002b38e13a6ee6e09b326f4847\r\n(first observed November 2023)\r\nSPICA Instance\r\n84523ddad722e205e2d52eedfb682026928b63f919a7bf1ce6f1ad4180d0f507\r\nZIP file, hosted on cloud storage. Delivered to target after initial lure PDF.\r\n37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9\r\nSPICA backdoor. Named “Proton-decrypter.exe”.\r\nC97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d\r\nLure document, likely to provide legitimacy to zip file.\r\nC2\r\nhttps[://]45.133.216[.]15:3000/ws\r\nYARA Rule\r\nhttps://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\r\nPage 3 of 4\n\nrule SPICA__Strings {\r\nmeta:\r\nauthor = “Google TAG”\r\ndescription = \"Rust backdoor using websockets for c2 and embedded decoy PDF\"\r\nhash = \"37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9\"\r\nstrings:\r\n$s1 = \"os_win.c:%d: (%lu) %s(%s) - %s\"\r\n$s2 = \"winWrite1\"\r\n$s3 = \"winWrite2\"\r\n$s4 = \"DNS resolution panicked\"\r\n$s5 = \"struct Dox\"\r\n$s6 = \"struct Telegram\"\r\n$s8 = \"struct Download\"\r\n$s9 = \"spica\"\r\n$s10 = \"Failed to open the subkey after setting the value.\"\r\n$s11 = \"Card Holder: Bull Gayts\"\r\n$s12 = \"Card Number: 7/ 3310 0195 4865\"\r\n$s13 = \"CVV: 592\"\r\n$s14 = \"Card Expired: 03/28\"\r\n$a0 = \"agent\\\\src\\\\archive.rs\"\r\n$a1 = \"agent\\\\src\\\\main.rs\"\r\n$a2 = \"agent\\\\src\\\\utils.rs\"\r\n$a3 = \"agent\\\\src\\\\command\\\\dox.rs\"\r\n$a4 = \"agent\\\\src\\\\command\\\\shell.rs\"\r\n$a5 = \"agent\\\\src\\\\command\\\\telegram.rs\"\r\n$a6 = \"agent\\\\src\\\\command\\\\mod.rs\"\r\n$a7 = \"agent\\\\src\\\\command\\\\mod.rs\"\r\n$a8 = \"agent\\\\src\\\\command\\\\cookie\\\\mod.rs\"\r\n$a9 = \"agent\\\\src\\\\command\\\\cookie\\\\browser\\\\mod.rs\"\r\n$a10 = \"agent\\\\src\\\\command\\\\cookie\\\\browser\\\\browser_name.rs\"\r\ncondition:\r\n7 of ($s*) or 5 of ($a*)\r\n}\r\nSource: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\r\nhttps://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" ], "report_names": [ "google-tag-coldriver-russian-phishing-malware" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/376d8ca8645a8cae8bf2f979e02a7d86ba3bc756.pdf", "text": "https://archive.orkl.eu/376d8ca8645a8cae8bf2f979e02a7d86ba3bc756.txt", "img": "https://archive.orkl.eu/376d8ca8645a8cae8bf2f979e02a7d86ba3bc756.jpg" } }