Unc4057

Threat Actor updated 5 months ago (2024-05-05T02:18:14.172Z)
Download STIX
Preview STIX
UNC4057, also known as ColdRiver, Star Blizzard, Blue Charlie, and Callisto, is a Russian-backed advanced persistent threat (APT) group that has been active since 2019. This group, sponsored by the Federal Security Service (FSB), has been involved in various malicious activities on behalf of the Russian government. The group uses a custom backdoor named "SPICA" to infiltrate systems, steal information, execute arbitrary commands, and establish persistence. They primarily target non-governmental organizations (NGOs), former intelligence and military officers, and NATO governments to carry out cyber espionage. Recently, Google's Threat Analysis Group (TAG) observed an evolution in UNC4057's tactics. The APT group has moved beyond phishing for credentials and started delivering malware through campaigns using PDFs as lure documents. This new approach involves poisoned PDF attachments in phishing messages that lead to the installation of a backdoor. This development has raised concerns among security researchers due to the group's notorious reputation and the potential threats it could pose. Over the years, UNC4057 has specialized in spear-phishing campaigns, employing advanced tactics including impersonation of known contacts customized to targets, and technical configurations and addresses made to look legitimate to recipients. The group's focus has been on high-profile individuals within NGOs, former intelligence and military officers, and NATO governments. Their evolving tactics and persistent threats underline the importance of continuous vigilance and proactive measures against such sophisticated cyber threats.
Description last updated: 2024-05-05T01:28:05.653Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Callisto is a possible alias for Unc4057. Callisto, also known as Star Blizzard, COLDRIVER, TAG-53, and BlueCharlie, is a threat actor group likely based in Russia that has been linked to malicious cyber activities. The group is notorious for its sophisticated spear-phishing attacks targeting organizations and individuals in the UK and othe
2
Star Blizzard is a possible alias for Unc4057. Star Blizzard, a threat actor group also known as "Cold River" and "Callisto," has been actively involved in spear-phishing campaigns to exfiltrate sensitive information from targeted individuals and organizations. Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30
2
COLDRIVER is a possible alias for Unc4057. Coldriver, also known as Star Blizzard, Callisto, and Seaborgium, is a Russia-based cyber-espionage group believed to be backed by the Federal Security Service (FSB). This threat actor has been active since at least 2015, targeting government officials, military personnel, journalists, think tanks,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Blizzard
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.