Google Threat Analysis Group (TAG) reports new tradecraft attributed to a TA446 (also known as "Cold River" or "Gossamer Bear") espionage campaign which has been active at least since last August.
TA446, which is tied to the Russian FSB - has been actively targeting high-profile individuals, including members of non-governmental organizations, military and intelligence agencies across NATO countries and Ukraine.
The campaign leverages advanced social engineering via impersonation accounts on social media used to get in connection with targets and establish a relation of trust. Once that relationship has been created, the threat actor launches a phishing attack whose features are definitely unusual.
The emails present encrypted attachments that fail to open on the victim's machine. At that point, the recipient will be lured to ask for a decryption key which, in turn, the actor will provide via means of an application purportedly serving as decryptor. However, the application - named "Proton-decrypter.exe" - contains a backdoor - dubbed "SPICA" - providing TA446 with remote access to the victim's machine. Persistence is established via a scheduled task which TAG reports to be named " CalendarChecker."
While TA446 continues its espionage campaign, there are reports of destructive attacks against Swiss governmental sites, specifically the primary government portal admin[.]ch, which was reportedly impacted by a distributed denial of service attack at the time of the Ukrainian government's official visit to the World Economic Forum held in Davos, Switzerland. The attack had limited impact, and was reportedly claimed by the Russia-aligned group NoName.