Russian Threat Actor Star Blizzard Adopts WhatsApp QR Code Exploits for Credential Harvesting

The Russian threat actor known as Star Blizzard has launched a new spear-phishing campaign aimed at compromising victims’ WhatsApp accounts, marking a shift in its tactics to evade detection.

According to a report by the Microsoft Threat Intelligence team, Star Blizzard’s targets primarily include individuals in government or diplomatic roles (both current and former), defense policy experts, researchers in international relations with a focus on Russia, and those offering assistance to Ukraine amidst the ongoing war.

Previously known as SEABORGIUM, Star Blizzard is a Russia-linked cyber threat group active since at least 2012. It is also tracked under various aliases, including Blue Callisto, BlueCharlie (or TAG-53), Callisto, COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. Historically, the group has specialized in credential harvesting through spear-phishing campaigns. These attacks typically involved sending malicious emails from Proton accounts, with links redirecting victims to Evilginx-powered pages designed to harvest credentials and two-factor authentication (2FA) codes via adversary-in-the-middle (AiTM) attacks.

The group has also been linked to the use of email marketing platforms such as HubSpot and MailerLite to disguise the true sender and bypass the need for actor-controlled domain infrastructure in their campaigns. In late 2024, Microsoft and the U.S. Department of Justice (DoJ) seized over 180 domains used by Star Blizzard to target journalists, think tanks, and non-governmental organizations (NGOs) between January 2023 and August 2024.

This disruption may have prompted the group to alter its methods, shifting to compromising WhatsApp accounts. Microsoft noted that while the WhatsApp-based campaign was short-lived, concluding in November 2024, it highlights the actor’s adaptability.

The campaign began with a spear-phishing email impersonating a U.S. government official to enhance credibility. The email included a QR code claiming to provide access to a WhatsApp group focused on “non-governmental initiatives supporting Ukrainian NGOs.” The QR code, however, was intentionally broken, encouraging the recipient to reply.

Upon receiving a response, Star Blizzard sent a follow-up email with a shortened t[.]ly link, apologizing for the inconvenience and urging the recipient to click the link to join the WhatsApp group. This link redirected victims to a webpage with a QR code that appeared legitimate but was designed to connect the victim’s WhatsApp account to a device controlled by the attackers.

“The campaign targeted individuals in government and diplomacy, including both current and former officials,” said Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. “It also extended to defense policy professionals, researchers in international relations focusing on Russia, and individuals supporting Ukraine.”

This strategic shift underscores the group’s efforts to innovate and remain effective despite public exposure of its previous activities.

If the target follows the instructions on the site (“aerofluidthermo[.]org”), the threat actor can gain unauthorized access to their WhatsApp messages and potentially exfiltrate the data using browser add-ons.

Individuals working in sectors targeted by Star Blizzard are urged to exercise caution when handling emails containing links to external sources.

This campaign represents a departure from Star Blizzard’s traditional tactics, showcasing the group’s persistence in conducting spear-phishing attacks to access sensitive information, even after repeated disruptions to its operations.