{
	"id": "d04f9d9b-5d1f-4323-a639-7dddb7a10434",
	"created_at": "2026-04-06T00:18:56.52912Z",
	"updated_at": "2026-04-10T03:34:43.907047Z",
	"deleted_at": null,
	"sha1_hash": "25db9970e848eee0f7ff37462af988cc668a121b",
	"title": "OSX.Calisto | Symantec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52136,
	"plain_text": "OSX.Calisto | Symantec\r\nArchived: 2026-04-05 15:36:20 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nDiscovered: July 30, 2018\r\nUpdated: July 30, 2018 2:44:38 PM\r\nType: Trojan\r\nInfection Length: Varies\r\nPublisher: Nevaeh Peterson\r\nSystems Affected: Mac\r\nOSX.Calisto is a Trojan horse that opens a backdoor on the compromised computer.\r\nAntivirus Protection Dates\r\nInitial Rapid Release version July 30, 2018 revision 007\r\nLatest Rapid Release version July 30, 2018 revision 017\r\nInitial Daily Certified version July 30, 2018 revision 008\r\nLatest Daily Certified version July 30, 2018 revision 021\r\nInitial Weekly Certified release date August 01, 2018\r\nClick here for a more detailed description of Rapid Release and Daily Certified virus definitions.\r\nWriteup By: Jason Pantig\r\nDiscovered: July 30, 2018\r\nUpdated: July 30, 2018 2:44:38 PM\r\nType: Trojan\r\nInfection Length: Varies\r\nPublisher: Nevaeh Peterson\r\nSystems Affected: Mac\r\nOnce executed, the Trojan creates the following folder:\r\n/Users/[USER NAME]/calisto\r\nThe Trojan creates the following files:\r\n/Users/[USER NAME]/calisto/calisto.zip\r\n/Users/[USER NAME]/calisto/cred.dat\r\n/Users/[USER NAME]/calisto/network.dat\r\n/Users/[USER NAME]/calisto/KC.zip\r\nhttps://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nPage 1 of 4\n\nNext, the Trojan uninstalls the DMG component on the compromised computer.\r\nThe Trojan then establishes remote access to the compromised computer in order to perform the following actions:\r\nEnable remote login\r\nEnable screen sharing\r\nAdd permissions\r\nAdd remote login to all users\r\nAdd its own account\r\nThe Trojan connects to the following remote locations:\r\nhttp://40.[REMOVED].56.192/calisto/listenyee.php\r\nhttp://40.[REMOVED].56.192/calisto/upload.php\r\nThe Trojan then opens a backdoor on the compromised computer and may perform the following actions:\r\nUpload files\r\nDownload files\r\nExecute files\r\nSteal keychains\r\nSteal cookies\r\nRecommendations\r\nSymantec Security Response encourages all users and administrators to adhere to the following basic security\r\n\"best practices\":\r\nUse a firewall to block all incoming connections from the Internet to services that should not be publicly\r\navailable. By default, you should deny all incoming connections and only allow services you explicitly\r\nwant to offer to the outside world.\r\nEnforce a password policy. Complex passwords make it difficult to crack password files on compromised\r\ncomputers. This helps to prevent or limit damage when a computer is compromised.\r\nEnsure that programs and users of the computer use the lowest level of privileges necessary to complete a\r\ntask. When prompted for a root or UAC password, ensure that the program asking for administration-level\r\naccess is a legitimate application.\r\nDisable AutoPlay to prevent the automatic launching of executable files on network and removable drives,\r\nand disconnect the drives when not required. If write access is not required, enable read-only mode if the\r\noption is available.\r\nTurn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit\r\naccess. Disable anonymous access to shared folders. Grant access only to user accounts with strong\r\npasswords to folders that must be shared.\r\nTurn off and remove unnecessary services. By default, many operating systems install auxiliary services\r\nthat are not critical. These services are avenues of attack. If they are removed, threats have less avenues of\r\nattack.\r\nhttps://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nPage 2 of 4\n\nIf a threat exploits one or more network services, disable, or block access to, those services until a patch is\r\napplied.\r\nAlways keep your patch levels up-to-date, especially on computers that host public services and are\r\naccessible through the firewall, such as HTTP, FTP, mail, and DNS services.\r\nConfigure your email server to block or remove email that contains file attachments that are commonly\r\nused to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.\r\nIsolate compromised computers quickly to prevent threats from spreading further. Perform a forensic\r\nanalysis and restore the computers using trusted media.\r\nTrain employees not to open attachments unless they are expecting them. Also, do not execute software\r\nthat is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised\r\nWeb site can cause infection if certain browser vulnerabilities are not patched.\r\nIf Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the\r\ndevice's visibility is set to \"Hidden\" so that it cannot be scanned by other Bluetooth devices. If device\r\npairing must be used, ensure that all devices are set to \"Unauthorized\", requiring authorization for each\r\nconnection request. Do not accept applications that are unsigned or sent from unknown sources.\r\nFor further information on the terms used in this document, please refer to the Security Response glossary.\r\nWriteup By: Jason Pantig\r\nDiscovered: July 30, 2018\r\nUpdated: July 30, 2018 2:44:38 PM\r\nType: Trojan\r\nInfection Length: Varies\r\nPublisher: Nevaeh Peterson\r\nSystems Affected: Mac\r\nThe following instructions pertain to all current and recent Symantec antivirus products for Mac.\r\n1. Update the virus definitions.\r\n2. Run a full system scan and repair or delete all the files detected.\r\nFor specific details on each of these steps, read the following instructions.\r\n1. To update the virus definitions\r\nTo obtain the most recent virus definitions run LiveUpdate: These virus definitions are posted to the LiveUpdate\r\nservers regularly. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus\r\nDefinitions (LiveUpdate) .\r\n2. To scan for and delete the infected files\r\nStart your Norton AntiVirus or Symantec Endpoint Protection for Mac program and make sure that it is\r\nconfigured to scan all files.\r\nRun a full system scan.\r\nIf any files are detected, click Repair (if available) or Delete.\r\nWriteup By: Jason Pantig\r\nhttps://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nPage 3 of 4\n\nSource: https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nhttps://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days"
	],
	"report_names": [
		"2018-073014-2512-99?om_rssid=sr-latestthreats30days"
	],
	"threat_actors": [
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434736,
	"ts_updated_at": 1775792083,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25db9970e848eee0f7ff37462af988cc668a121b.pdf",
		"text": "https://archive.orkl.eu/25db9970e848eee0f7ff37462af988cc668a121b.txt",
		"img": "https://archive.orkl.eu/25db9970e848eee0f7ff37462af988cc668a121b.jpg"
	}
}