Full Report
an illustrated blue box with the phrase "Threat Analysis Group" in white
Analysis Summary
# Threat Actor: COLDRIVER
## Attribution & Identity
**Attribution:** Threat group aligned with the interests of the Russian government.
**Aliases:** UNC4057, Star Blizzard, Callisto.
**Known Associations:** CISA and Microsoft security reports have also analyzed this group's activities; TAG has been tracking them for years.
## Activity Summary
COLDRIVER is a persistent threat group primarily known for espionage operations related to the Russian government's interests. Their activity has historically focused on credential phishing but is evolving. Recently, they have expanded their TTPs to include malware delivery, using sophisticated lure techniques involving "encrypted" PDF documents. In observed campaigns, COLDRIVER uses impersonation accounts to build trust with targets before sending the lure. If the target opens the initial benign PDF, which displays encrypted text, the threat actor responds with a link to a supposed "decryption utility" hosted on cloud storage. This utility is actually the SPICA backdoor. This evolution moves beyond simple credential theft to full system compromise.
## Tactics, Techniques & Procedures
- **Spearphishing/Impersonation:** Utilizing impersonation accounts pretending to be experts or affiliated with the target to establish rapport.
- **Credential Phishing:** Historically a central activity.
- **Lure Documents:** Using benign PDF documents presented as articles or op-eds seeking feedback.
- **Encrypted Lure:** Displaying encrypted text within the initial PDF to prompt the target to seek a "decryption" tool.
- **Malware Delivery via Cloud Storage:** Delivering the backdoor executable (e.g., "Proton-decrypter.exe") via links hosted on cloud storage sites.
- **Backdoor Installation:** Deploying the SPICA backdoor.
- **Persistence:** Establishing persistence via an obfuscated PowerShell command that creates a scheduled task named `CalendarChecker`.
- **Remote Access/Control:** Using SPICA for command and control via JSON over websockets.
- **Data Exfiltration:** Stealing browser cookies (Chrome, Firefox, Opera, Edge) and enumerating/exfiltrating documents in an archive.
**MITRE ATT&CK IDs:** Not explicitly listed in the text, but activities relate to T1566 (Phishing), T1059.001 (PowerShell), and T1204.002 (Malicious File).
## Targeting
**Sectors:** NGOs, academic institutions, former intelligence officials, former military officials.
**Geography:** Ukraine and NATO countries.
**Victims:** High-profile individuals within the aforementioned sectors and governments. Specific organizations were not named.
## Tools & Infrastructure
**Malware Families Used:**
- **SPICA:** A custom backdoor written in Rust.
- **Scout Implant:** Previously observed being used (leaked during the Hacking Team incident in 2015).
**Infrastructure:**
- **C2 Address:** `45.133.216[.]15:3000` (using websockets for C2 communication).
- **Delivery Mechanism:** Cloud storage sites for hosting the decryption utility/backdoor.
- **IoCs (Hashes):**
- SPICA Backdoor Hash (SHA256): `37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9`
- Lure Document Hashes (SHA256): Several noted, including those observed as early as Nov 2022.
## Implications
COLDRIVER has crossed a significant capability threshold by integrating custom malware (SPICA) into their established social engineering workflow. This shift from pure credential harvesting to full system compromise via a sophisticated, Rust-based backdoor demonstrates increased operational sophistication and a greater intent for dedicated espionage against high-value Western and Ukrainian targets.
## Mitigations
- **Enhanced Credential Protection:** Enable Enhanced Safe Browsing for Chrome and ensure all devices are updated.
- **Security Awareness Training:** Train personnel, especially high-profile individuals, to recognize advanced social engineering tactics disguised as professional correspondence (e.g., requests for document review).
- **File Execution Sandboxing/Scanning:** Thoroughly vet and scan executable files downloaded from external links, even when presented as "decryption utilities."
- **Monitor for Persistence Mechanisms:** Hunt for scheduled tasks named `CalendarChecker` or obfuscated PowerShell commands used to establish persistence.
- **Network Monitoring:** Monitor for outbound JSON/WebSocket traffic to known malicious IPs, such as `45.133.216[.]15:3000`.