Blue Charlie

Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wider landscape of state-sponsored cyber threats, executing malicious actions with the intent to compromise security, gather sensitive information, and disrupt operations. In December 2022, Recorded Future, a cybersecurity firm, profiled the phishing and credential harvesting infrastructure used by Blue Charlie for Russia-aligned espionage operations. The group has targeted a variety of entities including non-governmental organizations, think tanks, journalists, and government and defense officials. Their methods involve sophisticated phishing techniques aimed at compromising email accounts to gain unauthorized access to sensitive data. The threat actor has been found using a custom backdoor named "SPICA" on victim systems to steal information, execute arbitrary commands, and establish persistence. This indicates an advanced level of capability and suggests that the group is not just phishing for credentials but also delivering malware via campaigns. Recently, the group has evolved its tactics, techniques, and procedures (TTPs), moving beyond mere credential phishing to include malware delivery through PDF lure documents. These developments underscore the growing sophistication and persistent threat posed by Blue Charlie.