Star Blizzard

Star Blizzard is a Russia-linked cyber espionage threat actor also tracked as COLDRIVER, Callisto, Callisto Group, SEABORGIUM, TA446, UNC4057, BlueCharlie, Blue Callisto, Calisto, Cold River, Gossamer Bear, and related variants. Multiple governments and public reporting cited in the content attribute the group to the Russian Federal Security Service (FSB), including as a subordinate or operational unit within FSB Centre 18 / Center 18. The actor conducts tailored spear-phishing and credential theft operations against high-value targets. Reported targets include Russian and Belarusian civil society, Russian opposition figures in exile, independent media, international NGOs active in Eastern Europe, journalists, think tanks, academics, former officials, former intelligence and military officers, government and military personnel, defense contractors, Department of Energy staff, and at least one former U.S. ambassador. Reporting also states the group has targeted parliamentarians, universities, the public sector, and NGOs, and has focused heavily on NATO countries while also targeting Ukraine-related organizations. Observed tradecraft includes registering impersonation email accounts to spoof experts, colleagues, funders, government personnel, or organizations affiliated with the intended target; using compromised or lookalike accounts; and sending highly personalized phishing emails aligned to the victim’s professional context. In the documented "River of Phish" activity, the group used fake protected or encrypted PDF lures, sometimes omitting the attachment in an initial email to induce a reply before sending the lure. The PDFs directed victims to attacker-controlled infrastructure that fingerprinted the victim’s browser and system, optionally presented hCaptcha, and redirected to phishing pages impersonating Gmail or ProtonMail. The objective was credential theft, including passwords, 2FA codes, and session cookies, enabling account takeover. The content also states the group incorporated the Evilginx framework into spear-phishing activity and used JavaScript to redirect victims from adversary-controlled servers to Evilginx-hosted phishing infrastructure. Additional reporting in the content states Star Blizzard has uploaded malicious payloads to cloud storage sites and has sent emails with malicious PDF files to deliver malware. Google TAG reporting referenced in the content notes Microsoft uncovered a similar QR-code campaign tied to Callisto Group / Coldriver / Star Blizzard that targeted WhatsApp accounts linked to dozens of civil society organizations and journalists. The group has also been linked to hack-and-leak activity. The content states information stolen by COLDRIVER was used in hack-and-leak operations, including leaks related to UK-US trade documents ahead of the 2019 UK election and material used in 2022 to exacerbate Brexit-related political divisions in the United Kingdom. Law-enforcement and sanctions actions described in the content include U.S. and UK sanctions against Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets as members or associates of the group, and U.S. Department of Justice and Microsoft actions to seize more than 100 domains allegedly used in the group’s spear-phishing infrastructure.