Russian threat group spreading backdoor through phishing, says Google

A Russian-based espionage group known for stealing login credentials of government and military officials is also trying to trick victims into downloading malware.

Google’s Threat Analysis Group (TAG) says the attackers, known to researchers as ColdRiver, UNC4057, Star Blizzard or Callisto, has added to its arsenal by adding poisoned PDF attachments in phishing messages that lead to the installation of a backdoor.

It’s a warning to ColdRiver’s usual targets, which include high profile individuals in non-governmental organizations like think tanks, universities, former intelligence and military officers, NATO governments, and Ukraine.

ColdRiver often creates an online persona pretending to be an expert in a particular field or somehow affiliated with the target, Google says. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success. Eventually the gang sends a phishing link or document containing a link.

“As far back as November 2022, TAG has observed ColdRiver sending targets benign PDF documents from impersonation accounts,” TAG said in a report today. “ColdRiver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the ColdRiver impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving ColdRiver access to the victim’s machine.”

SPICA was detected as early as last September, but Google believes it was used almost a year before that. It’s the first custom malware that Google attributes as having been developed and used by ColdRiver.

Written in Rust, this backdoor uses JSON over websockets for command and control. It steals cookies from browsers, allows the uploading and downloading of files, and lists contents of file systems.

The backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task named CalendarChecker.

Google’s report includes the latest indicators of compromise.

Last week, the Reuters news agency reported that ColdRiver targeted three nuclear research laboratories in the United States in 2023: the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records. They showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords, Reuters said.

Microsoft has been among the cybersecurity companies trying to disrupt this attacker, which it calls Star Blizzard. In December it reported that the group was trying to improve its detection evasion capabilities.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now