Blue Charlie

Threat Actor Profile Updated 2 months ago

Download STIX

Preview STIX

Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wider landscape of state-sponsored cyber threats, executing malicious actions with the intent to compromise security, gather sensitive information, and disrupt operations. In December 2022, Recorded Future, a cybersecurity firm, profiled the phishing and credential harvesting infrastructure used by Blue Charlie for Russia-aligned espionage operations. The group has targeted a variety of entities including non-governmental organizations, think tanks, journalists, and government and defense officials. Their methods involve sophisticated phishing techniques aimed at compromising email accounts to gain unauthorized access to sensitive data. The threat actor has been found using a custom backdoor named "SPICA" on victim systems to steal information, execute arbitrary commands, and establish persistence. This indicates an advanced level of capability and suggests that the group is not just phishing for credentials but also delivering malware via campaigns. Recently, the group has evolved its tactics, techniques, and procedures (TTPs), moving beyond mere credential phishing to include malware delivery through PDF lure documents. These developments underscore the growing sophistication and persistent threat posed by Blue Charlie.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Unc4057	1	UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Callisto	1	Callisto, also known as Gossamer Bear, COLDRIVER, UNC4057, Star Blizzard, Blue Charlie, and SEABORGIUM, is a threat actor linked to the Russian state. This group, which has been tracked by various entities including Microsoft, Google's Threat Analysis Group (TAG), and Insikt Group, is known for its

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Backdoor

Apt

Blizzard

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Spica	Unspecified	1	Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Seaborgium	Unspecified	1	Seaborgium, also known as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor linked to suspected Russian threat activity groups. Open-source reporting has enabled Insikt Group to profile the infrastructure used by this group, revealing significant overlaps with other known malic
COLDRIVER	Unspecified	1	Coldriver, also known as Callisto Group and Star Blizzard, is a threat actor believed to originate from Russia. This entity is recognized for its malicious activities including disinformation campaigns, spear-phishing attacks, and the use of custom malware. The group has been associated with the Rus

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Blue Charlie Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Krebs on Security	2 months ago	Stark Industries Solutions: An Iron Hammer in the Cloud
CERT-EU	6 months ago	Russian hacker Coldriver extends tactics to include custom malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting