Spica

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in highly targeted attacks and is likely still under active development. It provides persistent access to a victim's machine, enabling the execution of commands, theft of browser cookies, and exfiltration of documents. Despite law enforcement action, Cold River's activity has remained consistent over the years. The functionality of Spica allows attackers to execute commands on targeted systems, upload and download files, and gather system and file information. A particular command named "telegram" is embedded within Spica, although its exact function remains unclear. Google believes that multiple versions of the Spica backdoor exist, each featuring a different embedded decoy document to match the lure document sent to targets. The earliest use of this backdoor by Coldriver dates back to November 2022. Google’s TAG has created a YARA rule to assist in identifying the Spica backdoor. The rule includes various strings and conditions related to the malware, such as "os_win.c:%d: (%lu) %s(%s) – %s", "winWrite1", "DNS resolution panicked", and "struct Dox". These identifiers can help in detecting the presence of Spica in a system. Notably, one of the strings is “Card Holder: Bull Gayts”, suggesting a possible attempt at humor or misdirection by the malware's creators.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cold River
1
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Decoy
Backdoor
Malware
Telegram
Apt
Google
Ukraine
Phishing
Impersonation
Blizzard
Russia
Remcos
Implant
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Proton-decrypter.exeUnspecified
2
None
RomComUnspecified
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
SmokeloaderUnspecified
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
RhadamanthysUnspecified
1
Rhadamanthys is a type of malware that has been identified as a significant threat to computer systems. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems through suspicious downloads, emails, or websites. Once it gains access, Rhadamanthys can steal
RootsawUnspecified
1
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which exec
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
COLDRIVERUnspecified
5
Coldriver, also known as Callisto Group and Star Blizzard, is a threat actor believed to originate from Russia. This entity is recognized for its malicious activities including disinformation campaigns, spear-phishing attacks, and the use of custom malware. The group has been associated with the Rus
Unc4057Unspecified
1
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Blue CharlieUnspecified
1
Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wid
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Apt44Unspecified
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Star BlizzardUnspecified
1
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
CallistoUnspecified
1
Callisto, also known as Gossamer Bear, COLDRIVER, UNC4057, Star Blizzard, Blue Charlie, and SEABORGIUM, is a threat actor linked to the Russian state. This group, which has been tracked by various entities including Microsoft, Google's Threat Analysis Group (TAG), and Insikt Group, is known for its
Coldriver AptUnspecified
1
Coldriver APT is a threat actor believed to originate from Russia, known for its malicious cyber activities. As per the cybersecurity industry's naming conventions, this group has been identified as an Advanced Persistent Threat (APT), indicating their capability to conduct prolonged and targeted cy
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Gossamer BearUnspecified
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Winter VivernUnspecified
1
Winter Vivern is a threat actor group that has recently been active in the cybersecurity landscape. This group, which is believed to align with the interests of Belarus, has been involved in a series of malicious activities targeting different entities. They have notably exploited a zero-day vulnera
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Spica Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU
6 months ago
Google says Russian espionage crew behind new malware campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Prolific Russian hacking unit using custom backdoor for the first time
BankInfoSecurity
6 months ago
Google: Russian FSB Hacking Group Turns to Malware
Malwarebytes
6 months ago
Coldriver threat group targets high-ranking officials to obtain credentials | Malwarebytes
CERT-EU
6 months ago
ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU
6 months ago
Russian hacker Coldriver extends tactics to include custom malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
InfoSecurity-magazine
6 months ago
Russian Coldriver Hackers Deploy Malware to Target Western Officials
CERT-EU
6 months ago
What is SPICA backdoor malware used by Russian hackers on Western officials? | Technology News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Cyber Security Week in Review: January 19, 2024
CERT-EU
6 months ago
Google warns against new malware campaign spreading through PDFs | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Google: Russian state hackers deploying malware in espionage attacks around Europe
CERT-EU
6 months ago
Russian FSB Hacking Group Turns to Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Russian Hackers Are Using PDF Tricks and Custom Malware to Target NATO | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
6 months ago
Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware
CERT-EU
6 months ago
Google disrupts malware campaign run by Russia-linked hacking group | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Google: Russian FSB hackers deploy new Spica backdoor malware
CERT-EU
6 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU
6 months ago
Russian threat group spreading backdoor through phishing, says Google | IT World Canada News
CERT-EU
6 months ago
Russian APT Known for Phishing Attacks Is Also Developing Malware, Google Warns | Antivirus and Security news