Russian hackers shift to new malware tactics, Google says

19 Jan 2024

Image: © Dragon Claws/

Google’s TAG said the Coldriver hacker group sends out encrypted PDFs to lure victims into using a decryption tool, which secretly installs malware onto devices.

Google researchers have issued a warning about a Russian hacker group that is using new tactics to trick its victims.

The company’s Threat Analysis Group (TAG) said the hacker group – known as Coldriver – is sending encrypted PDF files as a way to trick users into giving the group access to their devices.

TAG says that for years, Coldriver has been focused on credential phishing against high profile individuals in NGOs, NATO governments and former intelligence and military officers.

In 2022, TAG claimed this group – sometimes referred to as Calisto – targeted a NATO Centre of Excellence and a number of eastern European militaries for the first time.

The research group said Coldriver is continuing its credential phishing activities – often through impersonation activities. But the new tactic involves delivering malware directly to its victims.

Since November 2022, TAG said Coldriver has been observed sending victims benign, encrypted PDF documents from impersonation accounts. If the target responds that they cannot read the encrypted document, the impersonation account responds with a link to a decryption tool.

“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as Spica, giving Coldriver access to the victim’s machine,” TAG said in a blogpost.

The research group said this backdoor malware gives Coldriver various abilities on the victim’s machine, such as downloading files, executing arbitrary shell commands, listing filesystems and more.

“TAG has observed Spica being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022,” TAG said. “While TAG has observed four different variants of the initial ‘encrypted’ PDF lure, we have only been able to successfully retrieve a single instance of Spica.

“We believe there may be multiple versions of the Spica backdoor, each with a different embedded decoy document to match the lure document sent to targets.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic