In mid-November 2024, Microsoft Threat Intelligence reported a shift in tactics by the Russian threat actor Star Blizzard, who began targeting WhatsApp accounts through spear-phishing campaigns. This new approach involves impersonating US government officials to lure victims into malicious links that compromise their WhatsApp data. The campaign highlights the actor’s resilience and adaptability in the face of operational disruptions. Affected: WhatsApp, Email
Keypoints :
- Star Blizzard has shifted tactics to target WhatsApp accounts through spear-phishing.
- The campaign involves impersonating US government officials to engage targets.
- Initial contact is made via email with a broken QR code leading to a malicious link.
- The follow-up message contains a Safe Links-wrapped shortened URL.
- Victims who follow the link are redirected to a page that allows the threat actor access to their WhatsApp messages.
- This shift in tactics comes after previous disruptions to their operations.
- Microsoft recommends vigilance for sectors typically targeted by Star Blizzard.
- Mitigations include implementing Microsoft Defender for Endpoint and using Safe Links for Office 365.
MITRE Techniques :
- Phishing (T1566): Star Blizzard uses spear-phishing emails to initiate contact and lure targets.
- Credential Dumping (T1003): By gaining access to WhatsApp accounts, the threat actor can exfiltrate sensitive information.
- Exploitation for Client Execution (T1203): The malicious link leads to a webpage that exploits user interactions to gain access to WhatsApp.
Indicator of Compromise :
- [domain] civilstructgeo[.]org
- [domain] aerofluidthermo[.]org
- Check the article for all found IoCs.
Full Research: https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/