The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cadet Blizzard

Jun 23, 2023 2:09:27 PM / by The Hivemind

CadetBlizzardRelated Families: WhisperGate
Verticals Targeted: Government, Law Enforcement, Non-profits, Information Technology, Emergency Services

Executive Summary

Cadet Blizzard is a Russia nexus state-sponsored threat actor group with potential ties to the GRU. However, their activity seems to be distinct from other GRU-associated threat actor groups. 

Key Takeaways

  • Cadet Blizzard is a Russia nexus state-sponsored threat actor group with potential ties to the GRU.
  • Their likely targets are NATO countries and other entities aligning with Ukraine. 
  • WhisperGate is their most well-known malware to date. 

Who is Cadet Blizzard?

Cadet Blizzard, previously referred to as DEV-0586 is a Russia nexus state-sponsored threat actor group with potential ties to the Russian General Staff Main Intelligence Directorate (GRU). Microsoft recently designated them as separate from other groups associated with GRU activities. The group seems to be motivated by disruption, destruction, and espionage.


Verticals targeted by Cadet Blizzard include government, law enforcement, nonprofits, information technology, and emergency services. Most of the group's targets are located in Ukraine, other parts of Europe, Central Asia, and Latin America. They are deemed more likely to target NATO countries and other entities aligning with Ukraine.


Cadet Blizzard has been active since at least 2020, with WhisperGate in 2022 being one of its more well-known malware families. Cadet Blizzard allegedly defaced multiple Ukrainian websites in the past. The group is known for disrupting network operations and leaking sensitive information. They have also been associated with the Free Civilian leak forum.

Microsoft noted Cadet Blizzard typically obtains and maintains a foothold on victim networks for months and exfiltrates data before engaging in disruptive behavior. The group was very active in January and June 2022, with a lull in activity, and became active again in January 2023.

Cadet Blizzard has previously used supply chain compromise attacks to compromise multiple targets at once. They are also known to use living off-the-land techniques. They have been observed leveraging CVE-2021-26084 and CVE-2022-41040. Cadet Blizzard’s activity appears to be, by design, less stealthy than other GRU-directed network operations.


PolySwarm has multiple samples associated with Cadet Blizzard.






You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f CadetBlizzard


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Russia, Threat Bulletin, Espionage, WhisperGate, Cadet Blizzard, Disruption

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts