January 18, 2024 By Pierluigi Paganini
Google warns that the Russia-linked threat actor COLDRIVER expands its targeting and is developing a custom malware.
The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.
In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
Google TAG researchers warn that COLDRIVER is evolving tactics, techniques and procedures (TTPs), to improve its detection evasion capabilities.
Recently, TAG has observed COLDRIVER delivering custom malware via phishing campaigns using PDFs as lure documents. Google experts uncovered and disrupted these attacks by adding all known domains and hashes to Safe Browsing blocklists.
