Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/star-blizzard-fsb-whatsapp-microsoft-threat-intel\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp\"> <meta property=\"og:description\" content=\"Star Blizzard, known to be part of Russia\u2019s FSB, moved schemes to the messaging platform last November.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/star-blizzard-fsb-whatsapp-microsoft-threat-intel\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-16T17:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-16T14:58:07+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg\"> <meta property=\"og:image:width\" content=\"3300\"> <meta property=\"og:image:height\" content=\"2199\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736278014g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83164\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83164\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fstar-blizzard-fsb-whatsapp-microsoft-threat-intel%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fstar-blizzard-fsb-whatsapp-microsoft-threat-intel%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83164 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/star-blizzard-fsb-whatsapp-microsoft-threat-intel\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.671374764595\">\n<div class=\"single-article__header-content\" readability=\"36.382978723404\">\n<p> Star Blizzard, known to be part of Russia\u2019s FSB, moved schemes to the messaging platform last November. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83164\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg 3300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> A picture taken on March 23, 2022 in Moscow shows the US instant messaging software Whatsapp logo on a smartphone screen.(Photo by -\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"32.097290322581\"><body readability=\"65.357664233577\"><\/p>\n<p>The cat-and-mouse game between state-sponsored Russian hackers and one of the world\u2019s biggest technology companies has continued into 2025. <\/p>\n<p>Microsoft\u2019s threat intelligence team published research Thursday examining how a state-sponsored Russian threat actor group, known as Star Blizzard, has altered its longstanding attack strategies to target WhatsApp accounts. This attack vector is a significant change in the group\u2019s tactics, techniques, and procedures (TTPs), as it has normally relied on email in the past.<\/p>\n<p>The group, via phishing campaigns, typically targets individuals and organizations relevant to government, diplomacy, defense policy, and international relations research, particularly when these activities involve Russia. Historically, they have also targeted civil society organizations \u2014 including journalists, think tanks, and non-governmental organizations \u2014 aiming to exfiltrate sensitive information and disrupt operations.<\/p>\n<p>In a campaign observed in mid-November 2024, Star Blizzard\u2019s initial approach involved sending emails purportedly from a U.S. government official, containing a QR code said to direct recipients to information on supporting Ukrainian NGOs. The QR code, however, was intentionally broken, prompting targets to respond for an alternative link. The follow-up communication included a malicious shortened link, designed to deceive targets into believing they were joining a WhatsApp group. In reality, the link led to a phishing website using WhatsApp\u2019s account-linking QR code feature. This maneuver enables the threat actor to gain unauthorized access to victims\u2019 WhatsApp messages via its web messaging platform, potentially compromising the privacy and confidentiality of sensitive communications.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This operation by Star Blizzard, which is believed to be an operational unit within Russia FSB\u2019s Center 18, follows Microsoft and the U.S. Department of Justice\u2019s <a href=\"https:\/\/cyberscoop.com\/doj-microsoft-fsb-espionage-star-blizzard\/\">collaborative efforts in October<\/a> to shut down over 180 websites tied to the group\u2019s previous campaigns. While these actions temporarily hindered Star Blizzard\u2019s phishing operations, the threat actor quickly transitioned to new domains, underscoring their resilience and adaptability in the face of law enforcement\u2019s actions.<\/p>\n<p>Microsoft assesses that the group\u2019s targeting of WhatsApp accounts is likely a response to the exposure of its previous TTPs, aiming to evade detection by cybersecurity agencies. The company says there is a silver lining: this particular campaign stopped at the end of November. Microsoft did not provide any evidence to support why the operation suddenly stopped. <\/p>\n<p>Whether it\u2019s email or WhatsApp, Microsoft warns those who may be targeted to be vigilant about messages that link to external networks. The company says people in the following roles should be especially careful: <\/p>\n<ul class=\"wp-block-list\">\n<li>Government or diplomacy (incumbent and former position holders)<\/li>\n<li>Research into defense policy or international relations when related to Russia<\/li>\n<li>Assistance to Ukraine related to the ongoing conflict with Russia<\/li>\n<\/ul>\n<p>\u201cWhen in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them,\u201d the company states in its blog. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9317406143345\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/star-blizzard-fsb-whatsapp-microsoft-threat-intel\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[338,508,302,117,625,60,270,2823,288,2294],"tags":[341,510,306,119,630,67,276,2824,294,2303],"class_list":["post-6949","post","type-post","status-publish","format-standard","hentry","category-department-of-justice-doj","category-fsb","category-geopolitics","category-government","category-microsoft","category-phishing","category-russia","category-star-blizzard","category-threats","category-whatsapp","tag-department-of-justice-doj","tag-fsb","tag-geopolitics","tag-government","tag-microsoft","tag-phishing","tag-russia","tag-star-blizzard","tag-threats","tag-whatsapp"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice-doj\/\" rel=\"category tag\">Department of Justice (DOJ)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fsb\/\" rel=\"category tag\">FSB<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/star-blizzard\/\" rel=\"category tag\">Star Blizzard<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/whatsapp\/\" rel=\"category tag\">WhatsApp<\/a>","tag_info":"WhatsApp","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6949"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6949\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6949,"date":"2025-01-16T11:00:00","date_gmt":"2025-01-16T17:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83164"},"modified":"2025-01-16T11:00:00","modified_gmt":"2025-01-16T17:00:00","slug":"microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/16\/microsoft-catches-russian-state-sponsored-hackers-shifting-tactics-to-whatsapp\/","title":{"rendered":"Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp"},"content":{"rendered":"