Microsoft Threat Intelligence has uncovered a new spear-phishing campaign orchestrated by the Russian threat actor known as Star Blizzard. This campaign marks the first time the group has targeted WhatsApp accounts, signaling a significant evolution in its tactics, techniques, and procedures (TTPs).
Traditionally, Star Blizzard has focused on phishing campaigns targeting civil society organizations, government officials, and researchers, often impersonating political or diplomatic figures. However, in November 2024, the group began exploiting WhatsApp’s account-linking feature to access sensitive messages. Microsoft reported, “This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector.”
The campaign begins with an email impersonating a U.S. government official. The initial message contains a QR code, purportedly inviting users to join a WhatsApp group discussing “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” However, this QR code is intentionally broken to prompt recipients to reply.
In the follow-up email, Star Blizzard includes a shortened malicious link that redirects users to a fake WhatsApp group page. When the target scans the QR code on the page, it connects their WhatsApp account to the threat actor’s device, granting them access to the victim’s messages. Using browser plugins designed for exporting WhatsApp data, Star Blizzard exfiltrates sensitive information from compromised accounts.
Microsoft believes this pivot to WhatsApp was influenced by the exposure of Star Blizzard’s previous phishing infrastructure. “After this threat actor’s active infrastructure was exposed, they swiftly transitioned to new domains… indicating that the threat actor is highly resilient to operational disruptions,” the report states.
The campaign, although limited in scale and seemingly concluded by the end of November.
