Russias Star Blizzard APT Upgrades Its Stealth, Only to Be Unmasked Again

A state-sponsored Scooby Doo villain has once again been thwarted by those meddling researchers.

After multiple exposures and disruptions, a Kremlin-sponsored advanced persistent threat (APT) actor has once again upgraded its evasion techniques. However, that move was also exposed this week, by Microsoft.
Star Blizzard (aka Seaborgium, BlueCharlie, Callisto Group, and Coldriver) has been carrying out email credential theft in service of cyberespionage and cyber influence campaigns since at least 2017. Historically, it has focused its aim on public and private organizations in NATO member countries, typically in fields related to politics, defense, and related sectors — NGOs, think tanks, journalists, academic institutions, intergovernmental organizations, and so on. In recent years, it has especially targeted individuals and organizations providing support for Ukraine.
But for every successful breach, Star Blizzard is also known for its OpSec failures. Microsoft
disrupted the group in August 2022
and, in the time since, Recorded Future has tracked it as it not so subtly
attempted to shift to new infrastructure
. And on Thursday, Microsoft returned to report on
its latest efforts at evasion
. These efforts include five primary new tricks, most notably the weaponization of email marketing platforms.
Microsoft declined to provide comment for this article.
To aid in sneaking past email filters, Star Blizzard has started using password-protected PDF lure documents, or links to cloud-based file sharing platforms with the protected PDFs contained within. The passwords to these documents typically come packaged in the same phishing email, or an email sent shortly after the first.
As small roadblocks for potential human analysis, Star Blizzard has begun using a domain name service (DNS) provider as a reverse proxy — obscuring the IP addresses associated with its virtual private servers (VPSs) – and server-side JavaScript snippets intended to prevent automated scanning of its infrastructure.
Its also using a more randomized domain generation algorithm (DGA), to make detecting patterns in its domains more cumbersome. As Microsoft points out however, Star Blizzard domains still share certain defining characteristics: theyre typically registered with Namecheap, in groups that often use similar naming conventions, and they sport TLS certifications from Lets Encrypt.
And besides its smaller tricks, Star Blizzard has begun to utilize the email marketing services Mailerlite and HubSpot for directing its phishing escapades.
As Microsoft explained in its blog, the actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled
Evilginx server infrastructure
. The services can also provide the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the From address in their campaigns.
Sometimes the hackers have crossed tactics, embedding within the body of their password-protected PDFs the email marketing URLs they use to redirect to their malicious servers. This combo removes the need to include its own domain infrastructure in the emails.
Their use of cloud-based platforms like HubSpot, MailerLite, and virtual private servers (VPS) partnered with server-side scripts to prevent automated scanning is an interesting approach, explains Recorded Future Insikt Group threat intelligence analyst Zoey Selman, as it enables BlueCharlie to set allow parameters to redirect the victim to threat actor infrastructure only when the requirements are met.
Recently, researchers observed the group using email marketing services to target think tanks and research organizations, using a common lure, with the goal of obtaining credentials for a U.S. grants management portal.
The group has seen some other recent success, as well, Selman notes, most notably against UK government officials in credential-harvesting and hack-and-leak operations in use in influence operations, such as against former UK MI6 chief Richard Dearlove, British Parliamentarian Stewart McDonald, and is known to have at least attempted to target employees of some of the US most high profile national nuclear laboratories.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russias Star Blizzard APT Upgrades Its Stealth, Only to Be Unmasked Again