Russian threat group spreading backdoor through phishing, says Google

A Russian-based espionage group known for stealing login credentials of government and military officials is also trying to trick victims into downloading malware.

Google’s Threat Analysis Group (TAG) says the attackers, known to researchers as ColdRiver, UNC4057, Star Blizzard or Callisto, has added to its arsenal by adding poisoned PDF attachments in phishing messages that lead to the installation of a backdoor.

It’s a warning to ColdRiver’s usual targets, which include high profile individuals in non-governmental organizations like think tanks, universities, former intelligence and military officers, NATO governments, and Ukraine.

ColdRiver often creates an online persona pretending to be an expert in a particular field or somehow affiliated with the target, Google says. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign’s success. Eventually the gang sends a phishing link or document containing a link.

“As far back as November 2022, TAG has observed ColdRiver sending targets benign PDF documents from impersonation accounts,” TAG said in a report today. “ColdRiver presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the ColdRiver impersonation account responds with a link, usually hosted on a cloud storage site, to a ‘decryption’ utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving ColdRiver access to the victim’s machine.”

SPICA was detected as early as last September, but Google believes it was used almost a year before that. It’s the first custom malware that Google attributes as having been developed and used by ColdRiver.

Written in Rust, this backdoor uses JSON over websockets for command and control. It steals cookies from browsers, allows the uploading and downloading of files, and lists contents of file systems.

The backdoor establishes persistence via an obfuscated PowerShell command which creates a scheduled task named CalendarChecker.

Google’s report includes the latest indicators of compromise.

Last week, the Reuters news agency reported that ColdRiver targeted three nuclear research laboratories in the United States in 2023: the Brookhaven (BNL), Argonne (ANL) and Lawrence Livermore National Laboratories (LLNL), according to internet records. They showed the hackers creating fake login pages for each institution and emailing nuclear scientists in a bid to make them reveal their passwords, Reuters said.

Microsoft has been among the cybersecurity companies trying to disrupt this attacker, which it calls Star Blizzard. In December it reported that the group was trying to improve its detection evasion capabilities.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.