Unc4057

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Russian government. The group uses a custom backdoor named "SPICA" to infiltrate systems, steal information, execute arbitrary commands, and establish persistence. They primarily target non-governmental organizations (NGOs), former intelligence and military officers, and NATO governments to carry out cyber espionage. Recently, Google's Threat Analysis Group (TAG) observed an evolution in UNC4057's tactics. The APT group has moved beyond phishing for credentials and started delivering malware through campaigns using PDFs as lure documents. This new approach involves poisoned PDF attachments in phishing messages that lead to the installation of a backdoor. This development has raised concerns among security researchers due to the group's notorious reputation and the potential threats it could pose. Over the years, UNC4057 has specialized in spear-phishing campaigns, employing advanced tactics including impersonation of known contacts customized to targets, and technical configurations and addresses made to look legitimate to recipients. The group's focus has been on high-profile individuals within NGOs, former intelligence and military officers, and NATO governments. Their evolving tactics and persistent threats underline the importance of continuous vigilance and proactive measures against such sophisticated cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Star Blizzard
2
Star Blizzard, also known as Seaborgium or the Callisto Group, is a threat actor linked to Russia's intelligence service, the FSB. The group has been involved in sophisticated cyber-attacks worldwide, primarily using spear-phishing campaigns to steal account credentials and data. Microsoft, which tr
COLDRIVER
2
Coldriver, also known as Callisto Group and Star Blizzard, is a threat actor believed to originate from Russia. This entity is recognized for its malicious activities including disinformation campaigns, spear-phishing attacks, and the use of custom malware. The group has been associated with the Rus
Callisto
2
Callisto, also known as Gossamer Bear, COLDRIVER, UNC4057, Star Blizzard, Blue Charlie, and SEABORGIUM, is a threat actor linked to the Russian state. This group, which has been tracked by various entities including Microsoft, Google's Threat Analysis Group (TAG), and Insikt Group, is known for its
Cold River
1
Cold River, a sophisticated threat actor linked to the Kremlin, has been engaging in malicious cyber activities for several years. The group, also known as Star Blizzard, Callisto, and UNC4057, is attributed to Center 18 of the FSB, one of Russia's security services sponsoring global cyber espionage
Blue Callisto
1
Blue Callisto, also known as COLDRIVER, BlueCharlie (or TAG-53), Calisto, Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a malicious software program that has been active since 2019. This malware is designed to infiltrate computer systems and devices, often undetected, vi
Calisto
1
Calisto, also known as BlueCharlie, Blue Callisto, TAG-53, COLDRIVER, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a threat actor that has been active since 2019. This group targets a wide range of sectors and is particularly focused on individuals and organizations involved in intern
Gossamer Bear
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Blue Charlie
1
Blue Charlie, also known as TAG-53, UNC4057, Star Blizzard, and Callisto, is a threat actor linked to Russian threat activity groups such as the Callisto Group, COLDRIVER, and SEABORGIUM. Both Microsoft and the UK government have assessed this connection. The entity is believed to be part of the wid
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Blizzard
Phishing
Russia
Malware
Google
Backdoor
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BluecharlieUnspecified
1
BlueCharlie, also known as TAG-53, Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446, is a threat actor that has been linked to Russia and has reportedly been active since 2019. The group has been involved in various malicious activities including cybere
StarblizzardUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Coldriver/starUnspecified
1
None
Source Document References
Information about the Unc4057 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Prolific Russian hacking unit using custom backdoor for the first time
CERT-EU
6 months ago
ColdRiver threat group targeting critical infrastructure with backdoor attacks
CERT-EU
6 months ago
Russian hacker Coldriver extends tactics to include custom malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware - Cyber Security Review
DARKReading
6 months ago
Google: Russia's ColdRiver APT Unleashes Custom 'Spica' Malware
CERT-EU
6 months ago
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
CERT-EU
6 months ago
Russian threat group spreading backdoor through phishing, says Google | IT World Canada News