Callisto

Threat Actor Profile Updated 6 days ago
Download STIX
Preview STIX
Callisto, also known as Gossamer Bear, ColdRiver, UNC4057, Star Blizzard, and Blue Charlie, is a threat actor group likely linked to Russian state interests. This group primarily focuses on credential harvesting, targeting regions such as Ukraine and North Atlantic Treaty Organization (NATO) countries. They are known for their use of various malware tools like Bundlore, BlueBlood, JokerSpy, XCSSET, among others, to manipulate TCC. The group has been associated with a range of nefarious activities including espionage, disinformation campaigns, and fake pharma campaigns, which bear striking similarities to tactics employed by other Russia-aligned espionage groups. Insikt Group has identified new infrastructure used by TAG-53, a group that shares significant overlaps with Callisto. The consistency in setting up its infrastructure, along with the notable hallmarks and crossover, suggests a strong correlation between TAG-53 and Callisto. This newly discovered infrastructure aligns with tactics, techniques, and procedures (TTPs) previously attributed to Callisto, further strengthening the connection. Moreover, Callisto's activities have been noticed even eight months after the Russian invasion, indicating ongoing operations targeting Ukraine. The threat posed by Callisto extends beyond phishing for credentials, evolving to include delivery of malware via campaigns using PDFs as lure documents. Over the years, the group has targeted high-profile individuals in NGOs, former intelligence and military officers, and NATO governments, carrying out cyber espionage. The group's activities have been so severe that it was indicted by the U.S. government in December 2023. Despite international attention and legal actions, Callisto continues to pose a significant threat to global cybersecurity.
What's your take? (Question 1 of 5)
7ac190fa-534a-4726-a262-f7e6a0681e53 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
COLDRIVER
4
Coldriver, also known as Star Blizzard and Callisto Group, is a Russian Advanced Persistent Threat (APT) actor that has been identified as a significant cybersecurity threat. Notably, Google's Threat Analysis Group (TAG) has issued warnings about Coldriver's use of a custom backdoor in its operation
Star Blizzard
3
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
Seaborgium
3
Seaborgium, also known as Star Blizzard, Callisto Group, and COLDRIVER, is a threat actor group linked to Russia's Federal Security Service (FSB), specifically its Center 18 cyberespionage unit. The group has been active since at least 2015, conducting extensive spear-phishing campaigns against Brit
Unc4057
2
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
Gossamer Bear
2
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Callisto Group
2
The Callisto Group, also known as Star Blizzard and Coldriver, is a threat actor originating from Russia. A threat actor refers to an entity that executes actions with malicious intent, which could range from individuals to government entities. The Callisto Group has been recognized for its advanced
TA446
2
TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a threat actor that has been active since at least 2015. This cyberespionage entity has persistently targeted individuals and organizations involved in international affairs, defense, and l
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Blizzard
Apt
Malware
Phishing
Ukraine
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Callisto Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
UK and allies expose Russian FSB hacking group, sanction members
CERT-EU
6 months ago
UK and US expose Russia Callisto Group's activity and sanction members
CERT-EU
6 months ago
US, UK accuse Russia’s Callisto Group of cyber espionage, political interference
Recorded Future
a year ago
Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
CERT-EU
6 months ago
Russian FSB Targets US and UK Politicians in Sneaky Spear-Phish Plan
CERT-EU
6 months ago
Russian cyber-spies identified in APT attacks against UK democracy
Securityaffairs
4 months ago
Google TAG warns that Russian COLDRIVER APT is using a custom backdoor
CERT-EU
4 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU
10 months ago
Leftover Links 03/08/2023: Tor Browser 12.5.2 and LF Misportrayed as 'Linux'
CERT-EU
6 months ago
Russian military hackers target NATO fast reaction corps
CERT-EU
4 months ago
ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU
10 months ago
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures – GIXtools
CERT-EU
3 months ago
Russian Hackers Target Ukraine Via A Disinformation Campaign
CERT-EU
6 months ago
Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics
InfoSecurity-magazine
3 months ago
Russian Hackers Launch Email Campaigns to Demoralize Ukrainians
CERT-EU
4 months ago
Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware - Cyber Security Review
CERT-EU
a year ago
A Year of Conflict: Cybersecurity Industry Assesses Impact of Russia-Ukraine War | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
6 months ago
UK accuses Russia of cyber interference targeting elections and democracy
CERT-EU
6 months ago
USA & Britain Accuse Russia Of Hacking
DARKReading
4 months ago
Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware