A Russian state-baked hacker group known as Coldriver has expanded its operations to include the use of a custom backdoor called ‘SPICA’ in targeted campaigns against Western officials, according to a new report from Google’s Threat Analysis Group (TAG).

The cyberespionage outfit, also tracked as UNC4057, Star Blizzard, and Callisto, is primarily focused on credential phishing against entities in Ukraine, high-profile individuals in non-governmental organizations (NGO’s), former intelligence and military officers, and NATO governments.

To gain the trust of their targets, Coldriver employs sophisticated impersonation accounts, posing as experts or individuals affiliated with the target, establishing a rapport before launching phishing campaigns.

In its most recent attack, the group has been observed delivering malware via lures in the form of PDF documents. As early as November 2022, the threat actor has been sending benign PDF documents to targets from impersonation accounts, the TAG team said.

The lure document contains the encrypted text and if the victim wants to read it they are provided with a link to a “decryption” utility hosted on a cloud storage site. However, this utility is, in fact, a backdoor known as SPICA, granting the threat actor access to the victim's machine.

SPICA, the first custom malware attributed to Coldriver, is written in the Rust programming language and uses JSON over web sockets for command and control (C2). Its capabilities include executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating and exfiltrating documents.

TAG first spotted SPICA in September 2023, however, the researchers believe that the group has been using the malware since at least November 2022.

Notably, SPICA establishes persistence through an obfuscated PowerShell command, creating a scheduled task named “CalendarChecker.” TAG said they identified four different variants of the initial “encrypted” PDF lure but retrieved only a single instance of SPICA. The group suspects that there may be multiple versions of the SPICA backdoor, each with a different embedded decoy document to match the lure sent to specific targets.