
FSB Star Blizzard
FSB cyber unit using QR-code social engineering to compromise messaging accounts of journalists, lawyers and politicians.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How does an FSB unit use QR codes to take over a journalist's Signal account?
Timeline for FSB Star Blizzard
Mentioned in: NCSC ships SilentGlass, its first commercial product
Cybersecurity: Threats and DefencesTargeted Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes
Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three statesWhat is FSB Star Blizzard and why is it dangerous?
Is Star Blizzard the same as Cold River or Callisto Group?
How does Star Blizzard use QR codes to hack messaging apps?
Background
FSB Star Blizzard is a threat actor attributed by NCSC, CISA and EU partner agencies to Russia's Federal Security Service (FSB). In March 2026, NCSC and the Dutch AIVD issued a joint advisory identifying Star Blizzard as one of three state actors, alongside China's APT31 and Iran's IRGC, targeting Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers via malicious QR codes and contact impersonation.
Star Blizzard (previously tracked as SEABORGIUM, Callisto Group and Cold River) has been active since at least 2019. Its campaigns centre on sustained social engineering: building rapport with targets over weeks or months before delivering credential-harvesting links, spear-phishing attachments or, more recently, malicious QR codes that link attacker-controlled devices to the target's messaging account. Prior campaigns targeted NATO officials, UK MPs, think-tank researchers and Ukrainian officials. The group's access to messaging-platform accounts gives it insight into the private communications of civil-society organisations that operate largely outside the corporate network perimeter.
The convergence of FSB, APT31 and IRGC on the same messaging-app targeting technique across the March 2026 advisory suggests that consumer-grade encrypted messaging is now a priority intelligence collection surface for multiple adversaries. The recommended mitigation, passkeys and device audit, is targeted at individuals rather than enterprise IT teams.