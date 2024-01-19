Russian state-sponsored actor Coldriver, known for using spearphishing attacks on high-profile government accounts in Western countries for cyberespionage, has evolved tacts to include custom malware in its campaigns, according to a Google Threat Analysis Group (TAG) report.

Also tracked as UNC4057, Star Blizzard, Blue Charlie, and Callisto, the Russian-backed advanced persistent threat (APT) has been found using a custom backdoor “SPICA” on victim systems to steal information, execute arbitrary commands, and establish persistence.

“Recently, TAG has observed Coldriver continue its evolution by going beyond phishing for credentials, to delivering malware via campaigns using PDFs as lure documents,” said TAG in the report. “TAG has disrupted the following campaign by adding all known domains and hashes to Safe Browsing blocklists.”

Coldriver is popularly known for its credential phishing activities against high-profile individuals in NGOs, former intelligence and military officers, and NATO governments, focused mainly on the US and UK.

PDF lure used for malware delivery

In its latest campaign, Coldriver has been observed using impersonation accounts to deliver an encrypted PDF file to the target systems, acting as a lure to initiate infection.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” TAG said. “Coldriver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target.”