Google TAG warns that Russian COLDRIVER APT is using a custom backdoor

Vijay Shekhawat
Vijay Shekhawat

Software Architect

 
May 7, 2025 3 min read

Google's Threat Analysis Group (TAG) has reported that the Russia-linked cyberespionage group known as COLDRIVER is expanding its operational tactics. This group, also referred to as “Seaborgium,” “Callisto,” “Star Blizzard,” and “TA446,” has targeted government officials, military personnel, journalists, and think tanks since at least 2015. Recent activities of COLDRIVER have involved phishing campaigns that deliver custom malware via benign-looking PDFs. These documents often ask for feedback on op-eds or articles. When victims open the PDF, they see encrypted text. If they seek help, they are provided a link to a decryption tool, which is actually a backdoor known as SPICA. “Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user,” TAG stated. The SPICA backdoor utilizes Rust and allows for various malicious actions, such as executing arbitrary shell commands, stealing cookies from browsers, and enumerating files for exfiltration. Researchers noted that SPICA has been observed since early September 2023, although they believe it has been in use since November 2022. The malware is maintained via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker. For further details about Google TAG's findings, refer to the original report from Google’s Threat Analysis Group.

Prolific Russian hacking unit using custom backdoor for the first time

Cold River has previously targeted high-profile entities, including U.S. nuclear facilities. The group is now using its first known custom malware, SPICA, which allows attackers to execute commands, upload and download files, and gather system information. This malware is currently in limited use and is aimed at a small number of targets. Google TAG noted that Cold River's activities have included spear-phishing campaigns against various military and defense entities, significantly increasing their targeting profile. In December 2023, an indictment from the U.S. Department of Justice charged members of the group with hacking efforts against multiple nations, including NATO countries and Ukraine. To understand the evolving tactics of Cold River, see the detailed analysis on CyberScoop.

Google: Russian state hackers deploying malware in espionage attacks around Europe

Research indicates that Russian state hackers are intensifying their efforts to deploy malware on devices of targets in NATO countries and Ukraine. The group, tracked as COLDRIVER, has refined their techniques to lure victims into downloading malware through PDF files. “Since November 2022, they have lured victims into downloading backdoors via benign PDF documents,” noted a Google spokesperson. COLDRIVER often impersonates experts from various fields to build trust with potential victims. For more insights into COLDRIVER's tactics and ongoing threats, access the full report on The Record.

Russia-linked phishing campaigns ensnare civil society and NGOs

Access Now and the Citizen Lab have identified spear-phishing campaigns targeting Russian and Belarusian civil society organizations and international NGOs. One of these campaigns has been attributed to COLDRIVER, while the other is likely the work of a different entity dubbed “COLDWASTREL.” These attacks leverage personalized information to deceive victims, often using fake accounts to send emails that appear legitimate. The phishing emails typically contain locked PDFs or links purporting to help unlock the content, leading to credential harvesting. For a detailed examination of these phishing tactics and protective measures, refer to the technical report published by Access Now and Citizen Lab.

Cybersecurity Marketing Solutions by GrackerAI

Organizations facing threats from groups like COLDRIVER can benefit from advanced cybersecurity marketing strategies. GrackerAI, an AI-powered cybersecurity marketing platform, helps organizations transform security news into strategic content opportunities. By identifying emerging trends and monitoring threats, GrackerAI enables marketing teams to produce technically relevant content that resonates with cybersecurity professionals. Explore how GrackerAI can elevate your cybersecurity marketing efforts. Visit us at GrackerAI for more information or to contact us directly.

Vijay Shekhawat
Vijay Shekhawat

Software Architect

 

Principal architect behind GrackerAI's self-updating portal infrastructure that scales from 5K to 150K+ monthly visitors. Designs systems that automatically optimize for both traditional search engines and AI answer engines.

Related Articles

How to Write Comparison Pages That AI Engines Actually Cite
AEO

How to Write Comparison Pages That AI Engines Actually Cite

Learn how to optimize comparison pages for AEO and GEO. Get cited by ChatGPT, Perplexity, and Claude using these pSEO and growth hacking strategies.

By Ankit Agarwal January 14, 2026 8 min read
Read full article
The Anatomy of AI-Recommended Content: Reverse-Engineering ChatGPT's Favorites
AEO

The Anatomy of AI-Recommended Content: Reverse-Engineering ChatGPT's Favorites

Learn how ai models like ChatGPT recommend brands. Explore AEO, GEO, and programmatic SEO strategies to win the generative search battle for B2B SaaS.

By Ankit Agarwal January 13, 2026 8 min read
Read full article
How E-E-A-T Impacts AEO Ranking in AI Answers
aeo ranking

How E-E-A-T Impacts AEO Ranking in AI Answers

Learn how Experience, Expertise, Authoritativeness, and Trustworthiness (E-E-A-T) influence AEO rankings in AI answer engines like ChatGPT and Perplexity.

By Ankit Agarwal January 12, 2026 9 min read
Read full article
How E-E-A-T Impacts AEO Ranking in AI Answers
AEO ranking

How E-E-A-T Impacts AEO Ranking in AI Answers

Discover how experience, expertise, authoritativeness, and trust (E-E-A-T) influence your rankings in AI-generated answers and AEO strategy.

By Mohit Singh Gogawat January 12, 2026 15 min read
Read full article