Google Identifies Three New Russian Malware Families Created by COLDRIVER

Executive Summary

Google's Threat Analysis Group (TAG) has identified three previously undocumented malware families deployed by COLDRIVER, a threat actor attributed to the Russian Federal Security Service (FSB). The new tools—SPICA, COLDWRAP, and ICEBURN—represent a significant expansion of the group's offensive capabilities.

COLDRIVER, also tracked as Star Blizzard, Callisto Group, and BlueCharlie, has historically focused on credential phishing operations. The introduction of custom malware signals a strategic shift toward more persistent and invasive access to target networks.

Malware Family Analysis

The three newly identified malware families serve distinct purposes in COLDRIVER's operational toolkit:

SPICA Backdoor

SPICA is a lightweight backdoor written in Rust, designed for initial access and reconnaissance. Key capabilities include:

Command execution — Arbitrary shell commands via cmd.exe or PowerShell
File operations — Upload, download, and enumerate files
Persistence — Registry run keys and scheduled tasks
Evasion — Process injection into legitimate Windows processes

# SPICA configuration structure (reconstructed) { "c2_servers": [ "https://update-microsoft[.]com/api/v2", "https://cloud-services[.]net/sync" ], "sleep_interval": 300, "jitter_percent": 20, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64)" }

COLDWRAP Credential Stealer

COLDWRAP specifically targets browser-stored credentials and authentication tokens. It extracts data from Chrome, Firefox, and Edge, including saved passwords, cookies, and session tokens for cloud services.

ICEBURN Implant

ICEBURN is a second-stage implant deployed on high-value targets, featuring encrypted communications, modular plugin architecture, and advanced anti-forensics capabilities including log manipulation and timestomping.

Delivery Mechanisms

COLDRIVER continues to rely on social engineering for initial delivery, with malware distributed through:

Weaponized PDF documents exploiting CVE-2024-4671
Trojanized versions of legitimate software (Signal, Telegram)
Phishing pages mimicking cloud login portals

Target Profile

Consistent with historical COLDRIVER operations, targets include NGOs, think tanks, journalists, and government officials in NATO member states. Recent campaigns have shown particular focus on individuals involved in Ukraine policy and defense sector personnel.

MITRE ATT&CK: T1566.001 • T1204.002 • T1555.003 • T1547.001 • T1070.006

Threat Assessment

Severity HIGH

Confidence HIGH

First Seen 2025-05-12

Last Active 2025-10-19

Attribution FSB (Russia)

Threat Actor

Primary COLDRIVER

Aliases Star Blizzard

Also Callisto, BlueCharlie

Sponsor FSB Center 18

IOCs - File Hashes

SPICA Backdoor (SHA256)

7c8b5d3e2a1f9086574c3b2a1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e

COLDWRAP Stealer

3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b

ICEBURN Implant

f1e2d3c4b5a6978867564534231201f0e9d8c7b6a5948372615049382716054f

MITRE ATT&CK

T1566.001

Phishing: Spearphishing Attachment

T1204.002

User Execution: Malicious File

T1555.003

Credentials from Web Browsers

T1547.001

Boot/Logon Autostart: Registry Run Keys

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

Executive Summary

Malware Family Analysis

SPICA Backdoor

COLDWRAP Credential Stealer

ICEBURN Implant

Delivery Mechanisms

Target Profile