Blue Charlie

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wider landscape of state-sponsored cyber threats, executing malicious actions with the intent to compromise security, gather sensitive information, and disrupt operations. In December 2022, Recorded Future, a cybersecurity firm, profiled the phishing and credential harvesting infrastructure used by Blue Charlie for Russia-aligned espionage operations. The group has targeted a variety of entities including non-governmental organizations, think tanks, journalists, and government and defense officials. Their methods involve sophisticated phishing techniques aimed at compromising email accounts to gain unauthorized access to sensitive data. The threat actor has been found using a custom backdoor named "SPICA" on victim systems to steal information, execute arbitrary commands, and establish persistence. This indicates an advanced level of capability and suggests that the group is not just phishing for credentials but also delivering malware via campaigns. Recently, the group has evolved its tactics, techniques, and procedures (TTPs), moving beyond mere credential phishing to include malware delivery through PDF lure documents. These developments underscore the growing sophistication and persistent threat posed by Blue Charlie.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Callisto, also known as Gossamer Bear, ColdRiver, UNC4057, Star Blizzard, and Blue Charlie, is a threat actor group likely linked to Russian state interests. This group primarily focuses on credential harvesting, targeting regions such as Ukraine and North Atlantic Treaty Organization (NATO) countri
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Coldriver, also known as Star Blizzard and Callisto Group, is a Russian Advanced Persistent Threat (APT) actor that has been identified as a significant cybersecurity threat. Notably, Google's Threat Analysis Group (TAG) has issued warnings about Coldriver's use of a custom backdoor in its operation
Seaborgium, also known as Star Blizzard, Callisto Group, and COLDRIVER, is a threat actor group linked to Russia's Federal Security Service (FSB), specifically its Center 18 cyberespionage unit. The group has been active since at least 2015, conducting extensive spear-phishing campaigns against Brit
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Blue Charlie Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
Krebs on Security
25 days ago
Stark Industries Solutions: An Iron Hammer in the Cloud
5 months ago
Russian hacker Coldriver extends tactics to include custom malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting