Home/ Threat Actors/ Star Blizzard

🌐Star Blizzard

🌐 Star Blizzard is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 20 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1033) ↗

14Use cases

0Articles

20Techniques

0IOCs

About this actor (MITRE)

[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLD

Known aliases

Star BlizzardSEABORGIUMCallisto GroupTA446COLDRIVER

Top techniques

T1059.007 · JavaScript T1078 · Valid Accounts T1114.002 · Remote Email Collection

All other tracked techniques

T1114.003 · Email Forwarding Rule T1204.002 · Malicious File T1539 · Steal Web Session Cookie T1550.004 · Web Session Cookie T1566.001 · Spearphishing Attachment T1583 · Acquire Infrastructure T1583.001 · Domains T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1586.002 · Email Accounts T1588.002 · Tool T1589 · Gather Victim Identity Information T1593 · Search Open Websites/Domains T1598.002 · Spearphishing Attachment T1598.003 · Spearphishing Link T1608.001 · Upload Malware T1684.001 · Impersonation

Detection use cases (14)

Star Blizzard (SEABORGIUM/COLDRIVER) AiTM session-cookie replay → mailbox forwarding rule AI · profile S Star Blizzard SPICA loader — browser/PDF reader spawning user-staged executable with rare-destination C2 AI · profile SΣ 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match