"Google's Threat Analysis Group (TAG) said in new research this week that it has observed Cold River ramping up its activity in recent months and using new tactics capable of causing more disruption to its victims, predominantly targets in Ukraine and its NATO allies, academic institutions and non-government organizations."
"These PDF documents, which TAG said Cold River has delivered to targets since November 2022, masquerade as an opinion-editorial piece or another type of article that the spoofed account is looking to solicit feedback on. When the victim opens the benign PDF, the text appears as if it is encrypted. If the target responds that they cannot read the document, the hacker will send a link to a "decryption" utility, which Google researchers say is a custom backdoor tracked as "SPICA."