Callisto

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Callisto, also known as Gossamer Bear, COLDRIVER, UNC4057, Star Blizzard, Blue Charlie, and SEABORGIUM, is a threat actor linked to the Russian state. This group, which has been tracked by various entities including Microsoft, Google's Threat Analysis Group (TAG), and Insikt Group, is known for its credential harvesting campaigns targeting Ukraine and North Atlantic Treaty Organization (NATO) countries. The Callisto Group uses a variety of malware tools to manipulate TCC, including Bundlore, BlueBlood, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Furthermore, this entity has been associated with disinformation campaigns and fake pharma operations, demonstrating an unusual mix of espionage tactics. Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups including Callisto Group, COLDRIVER, and SEABORGIUM. The profiling of this infrastructure reveals significant overlaps with public reporting on these groups, suggesting consistency in their setup. This newly discovered infrastructure aligns with previously attributed tactics, techniques, and procedures (TTPs) of these threat actors, indicating a possible connection between them. The Callisto Group, part of the Federal Security Service hacking group, has been implicated in numerous nefarious activities on behalf of the Russian government. It continues to pose a significant threat to Ukraine even eight months after the Russian invasion, alongside other Russia-aligned Advanced Persistent Threat (APT) groups such as Sandworm, Gamaredon, InvisiMole, and Turla. The group's evolution beyond phishing for credentials to delivering malware via campaigns using PDFs as lure documents underscores its ongoing threat potential. The US government indicted the group in December 2023 for its cyber espionage activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
COLDRIVER
5
Coldriver, also known as Callisto Group and Star Blizzard, is a threat actor believed to originate from Russia. This entity is recognized for its malicious activities including disinformation campaigns, spear-phishing attacks, and the use of custom malware. The group has been associated with the Rus
Seaborgium
4
Seaborgium, also known as Star Blizzard, Callisto Group, COLDRIVER, and TAG-53, is a threat actor linked to suspected Russian threat activity groups. Open-source reporting has enabled Insikt Group to profile the infrastructure used by this group, revealing significant overlaps with other known malic
Star Blizzard
3
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
Callisto Group
3
The Callisto Group, a threat actor identified as part of the Russian Federal Security Service, has been exposed by the United States and the United Kingdom for its malicious cyber activities. This group, also known as Coldriver and formerly tracked by Microsoft under the moniker "Seaborgium," is com
Unc4057
2
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Rus
TA446
2
TA446, also known as the Callisto APT group, Seaborgium, Star Blizzard, ColdRiver, TAG-53, and BlueCharlie, is a threat actor that has been active since at least 2015. This cyberespionage entity has persistently targeted individuals and organizations involved in international affairs, defense, and l
Gossamer Bear
2
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Cold River
1
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage
Blue Charlie
1
Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wid
Calisto
1
Calisto, also known as BlueCharlie, Blue Callisto, TAG-53, COLDRIVER, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a threat actor that has been active since 2019. This group targets a wide range of sectors and is particularly focused on individuals and organizations involved in intern
Bluecharlie
1
BlueCharlie, also known as TAG-53, Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446, is a threat actor that has been linked to Russia and has reportedly been active since 2019. The group has been involved in various malicious activities including cybere
Blue Callisto
1
Blue Callisto, also known as COLDRIVER, BlueCharlie (or TAG-53), Calisto, Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a malicious software program that has been active since 2019. This malware is designed to infiltrate computer systems and devices, often undetected, vi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Blizzard
Apt
Ukraine
Phishing
Malware
Evasive
Proxy
Microsoft
Macos
Google
Backdoor
Russia
Espionage
Uk
Nato
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
BundloreUnspecified
1
Bundlore is a type of malware, specifically an adware, that targets macOS systems. It is known for displaying unwanted advertisements on infected computers and installing software products offered by affiliates. Bundlore, along with other malware tools such as BlueBlood, Callisto, JokerSpy, XCSSET,
XCSSETUnspecified
1
XCSSET is a particularly harmful form of malware that targets Apple's M1-Based Macs and macOS 11. As a malicious software, it exploits and damages the computer system by infiltrating through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations
InvisiMoleUnspecified
1
InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enable
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StarblizzardUnspecified
1
None
Callisto Apt GroupUnspecified
1
None
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
SandwormUnspecified
1
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
ArmageddonUnspecified
1
Armageddon, also known as the Gamaredon Group, is a threat actor that has been operational since around 2013 or 2014. This group comprises regular officers of the Russian Federal Security Service (FSB) and some former law enforcement officers from Ukraine. Armageddon has been particularly active in
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Callisto Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a month ago
European Union Sanctions Russian State Hackers
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU
5 months ago
Russian Hackers Target Ukraine Via A Disinformation Campaign
ESET
a year ago
ESET APT Activity Report T2 2022 | WeLiveSecurity
InfoSecurity-magazine
5 months ago
Russian Hackers Launch Email Campaigns to Demoralize Ukrainians
CERT-EU
6 months ago
ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU
6 months ago
Russian hacker Coldriver extends tactics to include custom malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware - Cyber Security Review
DARKReading
6 months ago
Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware
CERT-EU
6 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU
6 months ago
Russian threat group spreading backdoor through phishing, says Google | IT World Canada News
Securityaffairs
6 months ago
Google TAG warns that Russian COLDRIVER APT is using a custom backdoor
CERT-EU
6 months ago
Google TAG: Kremlin cyber spies build a custom backdoor
CERT-EU
6 months ago
Prolific Russian hacking unit using custom backdoor for the first time
CERT-EU
7 months ago
Wolverine Gameplay, Upcoming Insomniac Games Slate, More Leaked in Ransomware Hack | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Britain, US sanction Russian hackers over years-long FSB cyberespionage campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
Russian cyber-spies identified in APT attacks against UK democracy
CERT-EU
8 months ago
US, UK accuse Russia’s Callisto Group of cyber espionage, political interference