Security News > 2024 > January > Google TAG: Kremlin cyber spies move into malware with a custom backdoor
Russian cyberspies linked to the Kremlin's Federal Security Service are moving beyond their usual credential phishing antics and have developed a custom backdoor that they started delivering via email as far back as November 2022, according to Google's Threat Analysis Group.
"TAG has observed SPICA being used as early as September 2023, but believe that COLDRIVER's use of the backdoor goes back to at least November 2022," the Chocolate Factory's threat hunting team said in an analysis published today.
SPICA is the first custom malware that TAG attributes to the Kremlin-backed group.
These expeditions tend to be highly targeted, focusing on "High-profile individuals in NGOs, former intelligence and military officials, defense, and NATO governments," Google TAG's Billy Leonard told The Register.
"As far back as November 2022, TAG has observed COLDRIVER sending targets benign PDF documents from impersonation accounts," the Chocolate Factory said in today's account of the gang's evolving espionage efforts.
Then the phony email account responds with a link to a "Decryption" utility that is actually the SPICA backdoor.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/01/18/google_tag_coldriver_malware/