Microsoft has raised alarms about Star Blizzard, a Kremlin-backed hacking group that’s shifted tactics. After a major takedown of nearly 70 domains connected to them, Star Blizzard has turned to WhatsApp for its spear-phishing efforts. Microsoft’s Digital Crimes Unit has been actively pursuing this group, resulting in over 180 websites being taken down since October 2024. This has disrupted their operations, but Star Blizzard quickly adapted.
In mid-November 2024, Star Blizzard targeted individuals again, sending messages disguised as invitations to join a WhatsApp group focused on NGO work in Ukraine. The email came from someone impersonating a senior U.S. government official. Inside, they included a QR code meant to lead recipients to the WhatsApp group. But the catch? That QR code didn’t work. If the target replied, the hackers sent another link, now directing them to a webpage with yet another QR code. Scanning this second code didn’t connect them to the WhatsApp group but actually granted the hackers full access to their WhatsApp accounts.
These operatives used that access to read messages and steal data through browser plugins. Microsoft noted this campaign was short-lived, ending by late November 2024, yet it’s a clear sign of Star Blizzard’s determination to adapt and evade detection.
MSTIC warns anyone in sectors that Star Blizzard frequently targets—like government, defense, and international relations—to be cautious with surprising emails, even if they seem to come from trusted contacts. Regular users don’t need to worry too much; the group mainly sets its sights on high-profile individuals.
Previously, Star Blizzard was linked to hacks of high-ranking officials, including a former head of MI6, and tried to manipulate narratives around COVID-19 and its origins. Their persistence and ability to pivot tactics underline their ongoing threat.