>samit_hota
Back to adversary profiles
G1033HighActive

Star Blizzard: Russia's Persistent Cyber Espionage Engine

Samit Hota·
Suspected Origin
Russia
Motivation
Espionage, Information Operations, Political Influence
Aliases
SEABORGIUM, Callisto Group, TA446, COLDRIVER
Target Sectors
Academia, Defense, Government, NGO, Think Tanks, Journalism, Military, Energy
Associated Malware
Evilginx, Spica, Murena, Modishka, Scout, LostKeys, DarkSword Exploit Kit, GHOSTBLADE, MAYBEROBOT
#threat-actor#g1033

Overview

Star Blizzard, also tracked under aliases such as SEABORGIUM, Callisto Group, TA446, COLDRIVER, and BlueCharlie, is a sophisticated and persistent cyber espionage and influence group operating on behalf of the Russian state. Active since at least 2017, and with clear attribution to Russia’s Federal Security Service (FSB) Centre 18, this group’s operations are tightly aligned with Russian geopolitical interests. Their primary objective is intelligence collection, rather than financial gain, focusing on acquiring sensitive information like diplomatic communications, military plans, and policy discussions that can bolster Russia’s negotiating position and situational awareness on the global stage. Star Blizzard also engages in information operations, including hack-and-leak campaigns designed to manipulate narratives and influence political processes in targeted countries, as observed in attempts to interfere with UK politics.

The group’s targeting is broad but strategic, encompassing academic institutions, defense contractors, government entities, non-governmental organizations (NGOs), think tanks, politicians, military personnel, and journalists. Their focus is predominantly on NATO member countries, particularly the United States and the United Kingdom, but their activity extends to countries neighboring Russia, including the Baltics, Nordics, Eastern Europe, and Ukraine. In recent years, their scope has expanded to include defense-industrial targets, US Department of Energy facilities, and a notable emphasis on individuals and organizations providing support for Ukraine. They also show a keen interest in experts on Russian affairs and Russian citizens residing abroad.

Tactics & Techniques

Star Blizzard’s modus operandi revolves around highly sophisticated and tailored spear-phishing campaigns combined with advanced social engineering. Their initial phase involves extensive reconnaissance, leveraging open-source intelligence (OSINT), social media, and professional networking platforms to identify targets’ interests, contacts, and vulnerabilities. This allows them to craft highly convincing lures, often impersonating trusted contacts, respected experts, or organizations affiliated with the intended victim. They frequently establish fraudulent profiles on professional networking sites to aid this reconnaissance and rapport-building.

The attack chain typically begins with a spear-phishing email sent from impersonation accounts registered with common webmail providers like Outlook, Gmail, Yahoo, and Proton mail, or from malicious domains carefully crafted to resemble legitimate organizations. To further mask their origins and bypass email filters, they’ve been observed using email marketing platforms such as HubSpot and MailerLite. These emails often contain malicious links embedded directly, or within documents (including password-protected PDFs) hosted on legitimate file-sharing platforms like OneDrive and Google Drive. Once a target clicks, they are directed to actor-controlled servers hosting phishing frameworks, most notably the open-source Evilginx. Evilginx is crucial for their operations as it enables the theft of session cookies, allowing them to bypass multi-factor authentication (MFA) and gain unauthorized access to email accounts.

Upon successful compromise, Star Blizzard operators move swiftly to exfiltrate emails and attachments. They are known to establish email forwarding rules from victim inboxes to maintain persistent visibility into correspondence, even after credentials might be reset. This access is then leveraged for further reconnaissance, accessing mailing lists and contact data for follow-on targeting, and even using compromised accounts for subsequent spear-phishing activities. The group demonstrates adaptability in evasion, utilizing DNS providers as reverse proxies, incorporating server-side JavaScript, employing more randomized Domain Generation Algorithms (DGAs), and frequently shifting between registrars and using various link-shortening services or legitimate open redirectors to obscure their infrastructure. They’ve also shown sophistication by implementing server-side filtering to deliver specific exploits only to particular target environments, such as iPhone users. In a notable shift, they began targeting WhatsApp accounts using malicious QR codes embedded in phishing lures to link victims’ devices to adversary-controlled WhatsApp Web instances for message exfiltration.

Notable Campaigns

Star Blizzard has maintained a consistent operational tempo, adapting its campaigns in response to defensive efforts and evolving geopolitical priorities. While MITRE notes their activity from at least 2019, Microsoft has tracked the group since 2017. In 2019, the group was linked to the leak of US-UK trade documents on Reddit, attributed to a Russian-linked information campaign. By 2021, Microsoft observed an information operation involving documents allegedly stolen from a UK political organization, publicly uploaded and amplified on social media, showcasing their “hack-and-leak” capabilities.

During 2022, the group significantly expanded its targeting to include defense-industrial facilities and US Department of Energy entities, alongside their usual targets. A major disruption occurred in August 2022 when Microsoft, in collaboration with Google and Proofpoint, disrupted SEABORGIUM’s phishing infrastructure. However, Star Blizzard proved resilient, quickly adapting to new infrastructure and tactics.

December 2023 saw a joint advisory from the Five Eyes intelligence alliance and other partners, which publicly linked Star Blizzard to Russia’s FSB Centre 18 and detailed their ongoing worldwide spear-phishing campaigns. Concurrently, the US Department of Justice unsealed an indictment against two FSB Centre 18 officers for their roles in Star Blizzard’s activities, and sanctions were imposed.

Between January 2023 and August 2024, Star Blizzard targeted over 30 civil society organizations, including journalists, think tanks, and NGOs, with spear-phishing campaigns aimed at exfiltrating sensitive information and interfering with their operations. Another significant disruption occurred in October 2024, when Microsoft and the US Department of Justice seized over 100 domains used by Star Blizzard for their spear-phishing infrastructure.

Following this disruption, in mid-November 2024, Star Blizzard swiftly adapted by launching a novel spear-phishing campaign that leveraged WhatsApp, enticing targets with fake group invitations and using malicious QR codes to compromise accounts for message exfiltration. More recently, in May and June 2025, Sekoia reported new incidents, including against Reporters Without Borders, demonstrating their refined credential-harvesting techniques. Google also warned of campaigns between January and April 2025 where Star Blizzard delivered new LostKeys malware using the ClickFix technique, targeting Western government/military advisors, journalists, think tanks, NGOs, and individuals connected to Ukraine. As late as March 2026, the group (TA446) was observed using the DarkSword iOS exploit kit to target iPhone users via fake Atlantic Council invitations, delivering the GHOSTBLADE dataminer.

Associated Malware & Tools

Star Blizzard predominantly relies on open-source tools and custom malware tailored for credential harvesting and information exfiltration:

  • Evilginx: This open-source phishing framework is a cornerstone of their operations, enabling them to capture credentials and session cookies, crucially bypassing multi-factor authentication.
  • Spica: Identified by MITRE, Spica is a tool used for archiving collected data, file and directory discovery, and stealing web session cookies, often leveraging PowerShell for execution.
  • Murena and Modishka: These are other phishing frameworks observed in their campaigns, indicating a diverse toolkit for credential theft.
  • Scout implant from Galileo: In earlier campaigns (prior to 2019/2022), Star Blizzard was linked to the Scout implant, a spyware developed by the infamous HackingTeam, used for machine information and screen captures.
  • LostKeys: This is a newer, custom information stealer malware delivered via the “ClickFix” technique, observed in campaigns between January and April 2025, capable of stealing documents from infected systems.
  • DarkSword Exploit Kit: In March 2026, Star Blizzard (TA446) was observed leveraging this iOS exploit kit for remote code execution (RCE) on iPhones, primarily for credential harvesting and intelligence collection from Apple devices and iCloud accounts.
  • GHOSTBLADE: A dataminer malware delivered as part of the DarkSword exploit kit chain.
  • MAYBEROBOT: An earlier backdoor used by TA446, delivered via password-protected ZIP files in campaigns preceding the adoption of DarkSword.

Current Status

Star Blizzard remains an exceptionally active and adaptive threat actor. Despite repeated disruptions of their infrastructure by global cybersecurity agencies and tech companies, they consistently demonstrate a capacity for rapid evolution of their tactics, techniques, and procedures (TTPs). They quickly pivot to new domains, infrastructure, and attack vectors in response to exposure, as seen in their shift to WhatsApp-based phishing and the adoption of iOS exploits following domain seizures. This resilience underscores their high threat level and strong backing by the Russian state. As of mid-2026, Star Blizzard continues to be a persistent and pervasive espionage group, posing a significant and ongoing threat to governments, critical infrastructure, and civil society organizations aligned with NATO and Western interests.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call