Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Over the years, the Threat Analysis Group (TAG) has been analyzing the activities of a Russian threat group known as COLDRIVER, also referred to as UNC4057, Star Blizzard, and Callisto. This group focuses on credential phishing activities, particularly targeting high-profile individuals in non-governmental organizations (NGOs), former military and intelligence officers, and NATO governments. TAG has been monitoring and reporting on COLDRIVER’s espionage efforts aligned with the Russian government’s interests. The group has recently expanded its capabilities to include the use of malware. COLDRIVER continues to focus on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs. To gain the trust of their targets, COLDRIVER often uses impersonation accounts posing as experts in a particular field or as affiliated with the target. These accounts are used to establish a rapport with the target, increasing the success rate of their phishing campaigns. The group has been observed using evolving tactics, techniques, and procedures (TTPs) to improve its detection evasion capabilities. Recently, TAG has observed an evolution in COLDRIVER’s activities, as the group has moved beyond phishing for credentials to delivering malware via campaigns that use PDFs as lure documents. TAG has taken actions to disrupt these campaigns and has added all known domains and hashes associated with COLDRIVER to Safe Browsing blocklists.


There are no comments yet.

Leave a comment