COLDRIVER

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Coldriver, also known as Star Blizzard and Callisto Group, is a Russian Advanced Persistent Threat (APT) actor that has been identified as a significant cybersecurity threat. Notably, Google's Threat Analysis Group (TAG) has issued warnings about Coldriver's use of a custom backdoor in its operations. This custom malware, named Spica, appears to have been developed specifically for or by Coldriver, enhancing the group's ability to infiltrate targeted systems and networks. In December, a joint cybersecurity advisory was published by the Cyber National Mission Force, FBI, Cybersecurity and Infrastructure Security Agency, and several international cyber authorities. The advisory highlighted advanced spear-phishing campaigns launched by Coldriver. These campaigns are characterized by sophisticated social engineering techniques, where the group targets non-governmental organizations, military officers, and other experts, gaining their trust before deploying malicious links or malware. Amidst geopolitical tensions, Coldriver has been implicated in disinformation and credential-harvesting campaigns against Ukraine, demonstrating Russia's strategic use of cyber warfare. The group's activities extend beyond mere espionage, contributing to broader disinformation efforts aimed at manipulating public opinion and destabilizing adversaries. Given these factors, Coldriver represents a multifaceted and evolving cyber threat, necessitating vigilant cybersecurity measures.
What's your take? (Question 1 of 5)
71b102c4-a4bb-4808-896a-fd69019c19f3 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Seaborgium
6
Seaborgium, also known as Star Blizzard, Callisto Group, and COLDRIVER, is a threat actor group linked to Russia's Federal Security Service (FSB), specifically its Center 18 cyberespionage unit. The group has been active since at least 2015, conducting extensive spear-phishing campaigns against Brit
Bluecharlie
5
BlueCharlie, also known as TAG-53, Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446, is a threat actor that has been linked to Russia and has reportedly been active since 2019. The group has been involved in various malicious activities including cybere
Star Blizzard
4
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
Callisto
4
Callisto, also known as Gossamer Bear, ColdRiver, UNC4057, Star Blizzard, and Blue Charlie, is a threat actor group likely linked to Russian state interests. This group primarily focuses on credential harvesting, targeting regions such as Ukraine and North Atlantic Treaty Organization (NATO) countri
Callisto Group
3
The Callisto Group, also known as Star Blizzard and Coldriver, is a threat actor originating from Russia. A threat actor refers to an entity that executes actions with malicious intent, which could range from individuals to government entities. The Callisto Group has been recognized for its advanced
TA446
3
TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a threat actor that has been active since at least 2015. This cyberespionage entity has persistently targeted individuals and organizations involved in international affairs, defense, and l
Gossamer Bear
2
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Unc4057
2
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Calisto
2
Calisto, also known as BlueCharlie, Blue Callisto, TAG-53, COLDRIVER, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a threat actor that has been active since 2019. This group targets a wide range of sectors and is particularly focused on individuals and organizations involved in intern
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Blizzard
Apt
Implant
Ukraine
State Sponso...
Decoy
Google
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SpicaUnspecified
5
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Star Blizzard/seaborgiumUnspecified
2
None
Source Document References
Information about the COLDRIVER Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Microsoft Alert: COLDRIVER Credential Theft Rising Again
DARKReading
4 months ago
Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware
CERT-EU
4 months ago
Russian Hackers Using Encrypted PDFs As a Ploy To Spread Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Russian threat group spreading backdoor through phishing, says Google | IT World Canada News
InfoSecurity-magazine
4 months ago
Russian Coldriver Hackers Deploy Malware to Target Western Officials
CERT-EU
4 months ago
Russian hacker Coldriver extends tactics to include custom malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Google disrupts malware campaign run by Russia-linked hacking group | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Google: Russian state hackers deploying malware in espionage attacks around Europe
CERT-EU
4 months ago
ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU
4 months ago
Google: Russian FSB hackers deploy new Spica backdoor malware
CERT-EU
4 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
Recorded Future
a year ago
Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
Malwarebytes
4 months ago
Coldriver threat group targets high-ranking officials to obtain credentials | Malwarebytes
BankInfoSecurity
4 months ago
Google: Russian FSB Hacking Group Turns to Malware
Securityaffairs
4 months ago
Google TAG warns that Russian COLDRIVER APT is using a custom backdoor
CERT-EU
4 months ago
Russian FSB Hacking Group Turns to Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Google TAG: Kremlin cyber spies build a custom backdoor
CERT-EU
4 months ago
Russian Hackers Are Using PDF Tricks and Custom Malware to Target NATO | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Cyber Security Week in Review: January 19, 2024
CERT-EU
4 months ago
Google TAG warns that Russian COLDRIVER APT is using a custom backdoor