star-blizzard

Star Blizzard / SEABORGIUM

also known as: COLDRIVER Callisto Group TA446 BlueCharlie TAG-53 Gossamer Bear UNC4057 mitre: G1033

The FSB's credential-theft and influence intelligence unit — dedicated to systematically compromising the personal email accounts of NATO government officials, defense contractors, journalists, NGOs, and think tanks. The group's approach is unusually patient: operators invest extended time building rapport with targets on topics of genuine interest before ever deploying a phishing link, often corresponding for weeks or months under false identities. Since 2019, Star Blizzard has targeted academia, defense, government, NGOs, think tanks, and politicians in the UK, US, and NATO-aligned countries. From 2024 onward the group has expanded beyond credential phishing to deploy custom malware — SPICA, then LostKeys — selectively against the highest-value targets, marking a meaningful evolution in capability beyond email account access.

attributed originRussia — FSB Centre 18 (operational unit)

mitre group idG1033 (Star Blizzard)

active sinceAt least 2017 (confirmed 2019+)

primary motivationIntelligence collection + hack-and-leak influence operations

defining characteristicPatient rapport-building before phishing — weeks to months of contact

Primary: UK, US, NATO governments, think tanks, NGOs, academia

sanctions2 members indicted (Dec 2023), UK/US sanctions; $10M reward

domain seizure107 domains seized by DOJ + Microsoft (October 2024)

current statusACTIVE — LostKeys campaigns documented April 2025

Overview

Star Blizzard is an operational unit within FSB Centre 18 — Russia's domestic intelligence service — conducting targeted credential theft and influence operations against individuals and organizations of interest to Russian state intelligence. Unlike conventional APT groups that pursue network penetration and data exfiltration from organizational systems, Star Blizzard focuses almost exclusively on compromising the personal email accounts of high-value individuals: government officials, policy advisors, defense researchers, journalists, NGO workers, and academics whose private communications are intelligence targets.

The group's defining operational characteristic is patience. Where many credential phishing actors send unsolicited malicious links to high volumes of targets, Star Blizzard invests significant time in reconnaissance and social engineering before any phishing attempt is made. Operators create convincing false identities — including fabricated social media profiles and fake email accounts impersonating known contacts and domain experts — and establish benign contact with targets on topics of genuine professional interest. After building trust over extended correspondence, sometimes lasting weeks or months, the operator deploys a phishing link framed as a document or resource of interest. The CISA December 2023 advisory explicitly noted this pattern: "There is often some correspondence between attacker and target, sometimes over an extended period, as the attacker builds rapport."

Star Blizzard predominantly sends phishing emails to targets' personal email addresses rather than corporate accounts — a deliberate choice that circumvents corporate email security controls, endpoint monitoring, and security awareness training that organizations apply to business email. The stolen credentials are then used to access and exfiltrate the victim's email account content: private communications, contacts, and documents that often contain sensitive information not present in organizational systems.

The group uses EvilGinx — an open-source adversary-in-the-middle framework — to bypass multi-factor authentication by intercepting both credentials and session cookies simultaneously, rather than just stealing passwords. This MFA bypass means that enabling MFA on personal email accounts does not fully protect against Star Blizzard's credential theft methodology.

From 2024 onward, the group has expanded beyond credential phishing to deploy custom malware against select high-value targets. SPICA (documented in 2024) provided document access on target systems — going beyond email to access files stored locally. LostKeys (documented by Google GTIG in January–April 2025) extends this further: a multi-stage malware delivered via ClickFix social engineering that steals files with specific extensions, harvests system information, and enumerates running processes. Both SPICA and LostKeys are deployed selectively, reserved for targets where email account access alone is insufficient for the intelligence requirement. The group was also documented targeting WhatsApp accounts in January 2025, extending the social engineering model beyond email to messaging platforms.

Two Star Blizzard operators — Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (alias Alexey Doguzhiev) — were indicted by US federal prosecutors in December 2023. UK and US sanctions were applied against both individuals, and the US offered a $10 million reward for information on their location. In October 2024, Microsoft's Digital Crimes Unit and the US Department of Justice coordinated the seizure of 107 domains used by the group for credential phishing infrastructure — 66 seized via Microsoft civil litigation with NGO-ISAC, 41 simultaneously seized by DOJ. The group adapted and continued operations after the seizure.

Target Profile

Star Blizzard's targeting is laser-focused on individuals rather than organizations. The goal is access to private communications, not network penetration — and the individuals targeted are selected based on their access to information of intelligence value to the FSB.

Government Officials — UK, US, NATO: Current and former government officials with access to defense, foreign policy, and security information. The December 2023 indictment documented targeting of current and former Defense and State Department employees. Former US intelligence officials appeared in targets identified in the October 2024 domain seizure affidavit. The UK government characterized the group's activity as designed to undermine UK organizations and the UK government, with unauthorized access and exfiltration of sensitive data.
Defense Industrial Base and Department of Energy: During 2022, Star Blizzard expanded to include defense-industrial targets and US Department of Energy facilities — individuals with access to defense procurement, technology, research and development, and nuclear energy information. The DOJ affidavit unsealed in October 2024 noted that access was obtained to information related to nuclear energy technology, research, and development.
Think Tanks and Policy Organizations: Policy researchers, analysts, and fellows at think tanks with expertise in Russia, Ukraine, NATO, defense, and international security — organizations whose research informs government policy. These targets possess detailed private knowledge of policy debates, government positions, and confidential discussions that does not appear in published work.
Journalists and Media: Journalists covering Russia, Ukraine, and national security topics. The intelligence objective is not only to access sources and unpublished reporting but also to identify journalists' networks of contacts and confidential sources. Exfiltrated journalist communications have been used in Russian-linked hack-and-leak influence operations.
NGOs and Civil Society: Organizations supporting democratic institutions, press freedom, human rights in Russia and neighboring states, and organizations providing support to Ukraine. The US Treasury designated the FSB's hack-and-leak operations against NGOs as part of a broader effort to shape narratives and advance Russian strategic interests.
Academia: Researchers studying Russia, post-Soviet states, Eastern European security, and adjacent fields. Academic researchers' private communications often contain frank assessments, unpublished findings, and contact networks of significant intelligence value.
Ukraine-Linked Individuals (expanded 2024–2025): Individuals connected to Ukraine — advisors, defense officials, NGO workers — appear specifically in the LostKeys malware campaign targeting from January 2025, reflecting the group's expanded focus on the Ukraine conflict intelligence dimension.

Tactics, Techniques & Procedures

Star Blizzard's TTP set is built around social engineering sophistication rather than technical exploit complexity. The group's operational model prioritizes human manipulation over vulnerability exploitation.

mitre id	technique	description
T1591 / T1593	Reconnaissance — Target Research Phase	Extensive pre-attack reconnaissance is conducted before any contact is initiated. Operators research targets' professional interests, publication history, conference attendance, institutional affiliations, and known contacts. This research informs the creation of convincing false identities and establishes the topic basis for initial benign contact. Fabricated social media profiles are created to support the false identity and provide apparent legitimacy. The group may create fake expert profiles on LinkedIn and other platforms that appear to be active researchers in the target's field, building apparent credibility before outreach.
T1534	Internal Spearphishing — Impersonating Known Contacts	Star Blizzard impersonates known contacts of the target — colleagues, co-authors, conference organizers, or experts in the target's network — rather than approaching as an unknown party. This impersonation uses fabricated email accounts that closely resemble the contact's actual address, or in some cases uses compromised email accounts of actual known contacts to send phishing from an address the target genuinely recognizes. The Five Eyes advisory specifically highlighted the group's "pattern of impersonating known contacts' email accounts to appear trustworthy."
T1566.002	Spearphishing — Rapport-Building + Link Delivery	Initial contact is established on a topic of genuine professional interest to the target — a research paper, policy event, conference, or shared subject area — with benign communication that establishes a correspondence relationship. After rapport is built over days, weeks, or months, the operator sends what appears to be a link to a document or resource of genuine interest. The link leads to a phishing page that captures the target's email credentials and session cookies. The attacker may send subsequent follow-up messages if the initial link is not clicked, expressing concern about whether the document was received.
T1539	Credential Theft + MFA Bypass — EvilGinx	EvilGinx is deployed as an adversary-in-the-middle proxy that intercepts both email credentials and authenticated session cookies simultaneously when the target authenticates to what they believe is a legitimate login page. This approach bypasses multi-factor authentication because the attacker captures the post-MFA session cookie — which authenticates the session without requiring the MFA factor again — rather than just the password. The attacker can replay the session cookie to access the target's email account even if MFA is enabled on the account.
T1114.002	Email Collection — Remote Email Access	After obtaining credentials and session cookies, operators access the target's email account remotely — typically Gmail or Microsoft personal accounts — and systematically exfiltrate the inbox, sent items, and contacts. Private communications, documents shared via email, contact lists, and calendar data are extracted. The exfiltrated content may subsequently be used in FSB intelligence reporting or, in some cases, selectively published as part of hack-and-leak influence operations designed to shape narratives in targeted countries.
T1566 / T1059	ClickFix — LostKeys Malware Delivery (2025)	The LostKeys delivery chain begins with a lure website presenting a fake CAPTCHA. When the victim completes the fake CAPTCHA verification, JavaScript on the page automatically copies a malicious PowerShell command to the clipboard. The page instructs the victim to verify they are human by opening the Windows Run prompt and pasting the command — a social engineering technique called ClickFix that requires user action to execute the payload, bypassing automated browser and email sandbox defenses. The first-stage PowerShell fetches a second stage from C2 (165.227.148[.]68 in documented cases). The second stage performs anti-VM checks (display resolution hash) before fetching the final LostKeys VBScript payload, which exfiltrates files with specific extensions, captures system information, and enumerates running processes.
T1041	SPICA and LostKeys — Selective Document Theft	SPICA (documented 2024) and LostKeys (2025) are deployed only against select high-value targets for whom email account access alone does not satisfy the intelligence requirement. LostKeys steals files from a hard-coded list of extensions and directories, sends system information and a running process list to the attacker, and operates through a per-victim unique identifier-keyed C2 communication chain. LostKeys samples use per-infection unique identifiers and encryption keys, meaning each deployment is individually customized — further confirming the selective, high-value targeting model.

MFA does not fully protect against this group

Star Blizzard's use of EvilGinx as an adversary-in-the-middle proxy means that enabling multi-factor authentication on a personal email account does not provide complete protection against this group's credential theft. EvilGinx intercepts authenticated session cookies after the MFA step is completed — the attacker captures the session state that proves the user already completed MFA, and replays it to access the account. Defense against this technique requires hardware security keys (FIDO2/WebAuthn) configured as the MFA factor: hardware key authentication is bound to the originating domain and cannot be intercepted by a proxy in the way that TOTP codes and SMS codes can. Individuals in Star Blizzard's target categories should replace software-based MFA with hardware key authentication on their personal email accounts.

Known Campaigns

Star Blizzard has operated continuously since at least 2017, with major public disclosures and law enforcement actions concentrated from 2022 onward.

UK Government and Academia Targeting — NCSC First Advisory 2017–2022

Star Blizzard's operations were first publicly documented in a UK NCSC advisory covering targeting of UK government, academics, defense, and think tanks. The group's patient rapport-building methodology was described and the SEABORGIUM name first used publicly. Microsoft's August 2022 disruption action against the group's phishing infrastructure — using civil legal process to take down SEABORGIUM domains — was the first public legal action against the group's operations. The group adapted its infrastructure within days and continued operating.

Ukraine Support Targeting — Defense Industrial and DOE Expansion 2022

Following Russia's full-scale invasion of Ukraine in February 2022, Star Blizzard significantly expanded its targeting to include defense-industrial targets involved in logistics support to Ukraine and US Department of Energy facilities. The December 2023 Five Eyes advisory noted this expansion explicitly. Nuclear energy-related technology, research, and development data was accessed per the October 2024 DOJ affidavit. The targeting expansion reflects FSB collection requirements for intelligence on Western defense assistance to Ukraine and US energy infrastructure.

Five Eyes Advisory + US Indictments + UK Sanctions December 2023

On December 7, 2023, the Five Eyes intelligence alliance (Australia, Canada, New Zealand, UK, US) published a joint advisory formally attributing Star Blizzard to FSB Centre 18 and detailing the group's spearphishing TTPs including the EvilGinx MFA bypass technique. The same day, the US Department of Justice unsealed indictments against two named FSB officers: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (alias Alexey Doguzhiev). The UK government sanctioned both individuals. The US government offered a $10 million reward for information on their location. Recorded Future had separately identified 94 new Star Blizzard infrastructure domains in August 2023, many featuring keywords related to IT and cryptocurrency — consistent with the group's practice of registering domains that resemble legitimate organizations.

SPICA Malware — Select Target Document Theft 2024

Google's Threat Analysis Group documented SPICA — a custom backdoor deployed by COLDRIVER against select high-value targets in 2024. Unlike credential phishing which only captures email account access, SPICA provided access to documents stored on the target's device — extending intelligence collection beyond email inboxes to local file storage. The selective deployment model was explicitly noted: SPICA was reserved for targets where email access alone was insufficient. This marked the group's first publicly documented shift from pure credential theft toward endpoint malware deployment.

107 Domain Seizure — DOJ and Microsoft Action October 2024

Microsoft's Digital Crimes Unit filed suit with NGO-ISAC to seize 66 unique Star Blizzard domains used for spearphishing civil society organizations between January 2023 and August 2024. The DOJ simultaneously seized 41 additional domains. In total, 107 domains were seized — the largest single infrastructure disruption action against the group to date. The DOJ affidavit detailed targeting of former US intelligence officials, current and former Defense and State Department employees, US military defense contractors, and DOE staff. The group adapted infrastructure and continued operations after the seizure.

WhatsApp Account Targeting January 2025

Microsoft Threat Intelligence documented a Star Blizzard campaign targeting WhatsApp accounts of individuals in the group's standard target categories. This represented an expansion of the social engineering model from email to messaging platforms — consistent with the group's focus on wherever high-value individuals conduct sensitive communications, rather than limiting operations to email. The WhatsApp targeting approach mirrored the email model: attackers approached targets via social engineering before attempting to compromise the messaging account.

LostKeys — ClickFix Malware Campaign January – April 2025

Google GTIG documented LostKeys — a new custom malware — deployed in campaigns during January, March, and April 2025 against current and former advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The ClickFix delivery chain presents a fake CAPTCHA page that automatically copies a malicious PowerShell command to the clipboard and instructs the victim to execute it via Windows Run — bypassing automated sandboxing by requiring manual user action. LostKeys is delivered at the end of a three-stage chain: first-stage PowerShell fetches a second stage from C2, the second stage runs anti-VM display resolution checks, and the final stage is a Visual Basic Script file that steals files from targeted directories and extensions, collects system information, and enumerates running processes. Each infection chain uses unique identifiers and encryption keys, confirming selective high-value targeting. Google updated Safe Browsing to block identified domains and issued government-backed threat alerts to affected Gmail and Workspace users.

Tools & Malware

Star Blizzard operates a focused toolkit centered on credential harvesting infrastructure and, increasingly, selective endpoint malware for highest-value targets.

EvilGinx (Adversary-in-the-Middle Credential Theft): An open-source framework used as the core credential phishing tool. EvilGinx acts as a transparent proxy between the victim and the legitimate email service, intercepting both the entered credentials and the authenticated session cookie that follows successful MFA completion. This simultaneous credential and session cookie theft bypasses time-based OTP and SMS MFA. The stolen session cookie is replayed to access the account as an authenticated user without requiring the MFA factor.
Lookalike Credential Harvesting Domains: Star Blizzard registers domains that resemble legitimate organizations, email services, file sharing platforms, or research institutions — creating convincing-looking login pages that redirect harvested credentials to attacker infrastructure. Recorded Future identified 94 new domains in August 2023; the October 2024 seizure covered 107. Domain registration patterns often feature IT and cryptocurrency-related keywords alongside institutional name mimicry.
Fabricated Social Media and Email Profiles: False identities constructed to support the rapport-building phase — LinkedIn profiles, X/Twitter accounts, and email accounts presenting the operator as a credible researcher, journalist, policy expert, or conference organizer in the target's field. The fabricated identities are used to initiate and sustain benign correspondence before any phishing attempt is made.
SPICA Backdoor (2024): A custom malware deployed selectively against high-value targets where email account access alone is insufficient. SPICA provides access to documents stored on the target's device, extending collection beyond the email inbox. Delivered via spearphishing as part of the group's expanded malware deployment capability, documented by Google TAG in January 2024.
LostKeys (2025): A Visual Basic Script-based malware delivered via a ClickFix fake CAPTCHA social engineering chain. Capabilities include stealing files from a hard-coded extension and directory list, collecting system information (systeminfo, ipconfig, net view), and enumerating running processes (tasklist). Each infection uses unique per-victim identifiers and encryption keys. The second-stage payload performs anti-VM display resolution hashing checks before delivering LostKeys. C2 communication sends encoded data including computer name, username, and drive serial number as a session identifier.

Indicators of Compromise

Star Blizzard's phishing infrastructure rotates continuously — the October 2024 seizure covered 107 domains and the group immediately began rebuilding. Behavioral indicators are more durable than static domain or IP lists.

LostKeys — delivery chain indicators (2025)

deliveryFake CAPTCHA webpage instructing user to open Windows Run and paste clipboard content

c2 (stage 2)165.227.148[.]68 — second-stage PowerShell retrieval server (documented January–April 2025)

anti-vmSecond stage checks display resolution hash against known VM configurations — halts if VM detected

behaviorPowerShell.exe invoked via Windows Run dialog (not command line) — ClickFix signature

payloadLostKeys is a VBScript file collecting files, system info (systeminfo, ipconfig, net view), and tasklist

session idC2 session string: base64(drive_serial ";" computer_name ";" username) — identifies compromised host

credential phishing behavioral indicators

approachUnsolicited benign contact on professional topic from unknown expert — no link in first message

identitySender's name matches known contact but email domain has minor character substitution or typosquatting

link typeLink to document or resource — often referencing a shared interest topic established in prior correspondence

targetPersonal email address targeted preferentially over corporate email to bypass organizational security controls

domain patternLookalike domains mimicking legitimate organizations; often include IT or cryptocurrency keywords

Mitigation & Defense

Star Blizzard's social engineering model requires defenses that operate at the individual level — organizational email security controls are partially bypassed by design when the attack targets personal email accounts.

Replace TOTP and SMS MFA with FIDO2 hardware security keys on personal email accounts: EvilGinx bypasses time-based one-time passwords and SMS codes by intercepting session cookies after MFA completion. FIDO2 hardware keys (such as YubiKey) perform cryptographic authentication bound to the originating domain — they cannot authenticate to a phishing proxy because the domain does not match. Individuals in Star Blizzard's target categories — government officials, defense researchers, journalists, NGO workers, think tank analysts — should configure FIDO2 hardware keys as their MFA factor on personal Gmail and Microsoft accounts specifically.
Apply advanced account protection programs: Google's Advanced Protection Program and Microsoft's equivalent apply the highest security settings to an account — requiring hardware key authentication, restricting third-party application access, and adding enhanced phishing detection. These programs are specifically designed for high-risk individuals and are free to enroll in. They are the appropriate baseline security posture for anyone in Star Blizzard's documented target categories.
Treat unsolicited benign contact from unknown experts with deliberate skepticism: Star Blizzard's operational model requires the target to engage in correspondence before any phishing link is sent. Individuals in target categories who receive unsolicited contact from unknown researchers, journalists, or experts — particularly those expressing interest in the recipient's specific work — should verify the sender's identity through a separate channel before engaging. A social media profile appearing to be a credible expert does not verify identity; a phone call or video call with a known institutional contact who can confirm the person exists does.
Verify any link to documents or resources before clicking: When a correspondent — even a trusted-appearing one — sends a link to a document, verify the destination domain before authenticating. Star Blizzard's phishing pages are designed to appear as legitimate login portals for Google, Microsoft, or other services. Any login prompt reached by following a link from email or messaging should be treated with suspicion; navigate directly to the service's official domain rather than authenticating through a link.
Do not execute commands pasted from websites: The LostKeys ClickFix delivery chain requires the victim to manually open Windows Run (Win+R) and paste a clipboard command. No legitimate website or CAPTCHA service ever requires this action. Any webpage instructing a user to paste clipboard content into the Windows Run dialog or a command prompt should be immediately closed and reported. This is an unconditional indicator of a malicious delivery attempt.
Monitor PowerShell execution from unusual contexts: The LostKeys infection chain executes PowerShell via the Windows Run dialog rather than a command-line context. Endpoint detection rules alerting on PowerShell spawned by explorer.exe (the Run dialog parent process) rather than standard administrative contexts provide detection of ClickFix-technique malware delivery.
Enable Google Safe Browsing Enhanced Protection and government-backed alert programs: Google updated Safe Browsing to block LostKeys-associated domains following the May 2025 GTIG disclosure. Google also provides government-backed threat alerts to Gmail and Workspace users targeted by state-sponsored actors. Ensuring Enhanced Protection is enabled in Chrome and that Google Workspace alerts are appropriately configured provides automated notification of known Star Blizzard infrastructure.

analyst note — hack-and-leak as the second use of stolen intelligence

Star Blizzard's credential theft and email exfiltration serves two distinct FSB purposes. The first is conventional intelligence collection — private communications of government officials, defense researchers, and policy advisors contain intelligence not available through open sources. The second purpose is selective publication of exfiltrated material to support Russian influence operations. The US Treasury explicitly noted the FSB's use of hack-and-leak operations to shape narratives in targeted countries. When exfiltrated emails or documents are published — selectively edited or contextualized to advance Russian strategic narratives — they appear to originate from independent sources rather than from Russian intelligence operations, providing deniability while generating the desired information environment effects. This dual-use model means that even individuals who do not consider themselves intelligence targets should recognize that their private communications, if compromised, may be weaponized for public influence purposes rather than intelligence files.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile