COLDRIVER, also known as UNC4057, Star Blizzard and Callisto, a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments, has advanced its tactics beyond phishing for credentials, Google's Threat Analysis Group (TAG) warned on Thursday.

The threat actors deliver malware through campaigns utilizing PDFs as lure documents. In November 2022, TAG caught COLDRIVER sending targets benign PDF documents from impersonation accounts. The documents are presented as new op-eds or articles that the impersonation account is looking to publish, prompting the target for feedback. As soon as the recipient opens the lure document, the text within it appears encrypted.

When the target expresses an inability to read the encrypted content, the COLDRIVER impersonation account responds by providing a link, typically hosted on a cloud storage site, to a "decryption" utility for the target to use. This decryption utility is a backdoor tracked as SPICA. Through this backdoor, COLDRIVER gains unauthorized access to the victim's machine.

TAG attributes SPICA as the first custom malware to being developed and employed by COLDRIVER.

"TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER's use of the backdoor goes back to at least November 2022. While TAG has observed four different variants of the initial “encrypted” PDF lure, we have only been able to successfully retrieve a single instance of SPICA," TAG wrote in a post.