A Russian nation-state actor known as Star Blizzard has launched a new spear-phishing campaign aimed at compromising WhatsApp accounts of individuals in key sectors, including government, diplomacy, defense policy, international relations, and Ukraine aid organizations.
The campaign, first detected in mid-November 2024, highlights a strategic shift in the group’s tactics, according to a report by Microsoft Threat Intelligence.
Malicious WhatsApp Invitation Tactics
The attack begins with Star Blizzard impersonating a U.S. government official in phishing emails. These emails lure targets by offering an invitation to join a WhatsApp group focused on non-governmental initiatives supporting Ukraine. To increase credibility, the email contains a deliberately broken QR code, encouraging the recipient to request an alternative link.
When victims respond, they receive a follow-up email containing a malicious t.ly short link. This link redirects to a counterfeit webpage resembling a legitimate WhatsApp invitation page, complete with a QR code. However, the QR code facilitates the attacker’s device to link directly to the victim’s WhatsApp account.
Exploiting WhatsApp Web
If victims follow the instructions, the attacker gains full access to their WhatsApp messages and can exfiltrate data using browser plugins designed for exporting chats via WhatsApp Web. Notably, this attack leverages social engineering techniques rather than malware, making it undetectable by antivirus tools.
Staying Protected
Microsoft advises users to remain cautious of unsolicited emails or group invitations, particularly those urging QR code scans. To ensure account security, users should regularly review the devices linked to their WhatsApp accounts through the “Linked Devices” feature on the mobile app and log out of any unrecognized devices.
