{ "id": "d30f6fcc-1b56-4497-a9f7-ada3cf14bcb5", "created_at": "2026-04-06T00:13:10.646883Z", "updated_at": "2026-04-10T03:35:41.832246Z", "deleted_at": null, "sha1_hash": "27cbadd31eb0ced14e6c5cd0baabebaf487e7eef", "title": "CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 596803, "plain_text": "CALISTO doxxing: Sekoia.io findings concurs to Reuters’\r\ninvestigation on FSB-related Andrey Korinets\r\nBy Sekoia TDR\r\nPublished: 2023-12-13 · Archived: 2026-04-05 15:02:32 UTC\r\nInvestigation context\r\nOn 7 December 2023, a joint advisory from the UK, USA, Canada, Australia and New Zealand attributed the\r\npreviously known intrusion set Star Blizzard (aka CALISTO for Sekoia.io) to Russian Federal Security Bureau\r\n(FSB). The USA and UK government announced sanctions against two Russian nationals, Ruslan Peretyatko and\r\nAndrey Korinets, accused to be actively involved into CALISTO operations.\r\nOne year ago, on 6 January 2023, Sekoia.io distributed to our customers a FLINT (Flash Intelligence report) about\r\nour findings on Andrey Korinets. This investigation began when a trusted source contacted Sekoia.io TDR\r\nanalysts regarding our previous publication on CALISTO, informing us about a possible link between a known\r\ninfrastructure used by CALISTO and Andrey Korinets.\r\nSekoia.io conducted further technical investigation that confirmed an existing relation from at least 2015 to\r\n2020 between CALISTO and Korinets. In order to avoid doxxing activities, we restained from publishing this\r\ninvestigation. Then, when Reuters published about Andrey Korinet, we sent our investigation to our CTI\r\ncustomers.\r\nWith this CALISTO follow-up FLINT, we wanted to share our investigation that disclose links between Korinets\r\nactivities and a large technical cluster composed of dozens of CALISTO phishing domains and multiple servers,\r\nincluding some exposed by F-Secure(1) in 2017 in a white paper on “Callisto Group”.\r\nWe are now publishing our technical investigation that concurs Reuters’ and the UK-USA’s designation of Andrey\r\nKorinet.\r\nAn investigation based on Korinets’ emails\r\nFollowing the intelligence on Korinets provided by a trusted source, SEKOIA.IO conducted research on a former\r\nCALISTO infrastructure, allowing us to identify several email addresses used by Andrey Korinets associated with\r\nit.\r\nThis former CALISTO infrastructure was used to conduct phishing campaigns from at least 2015 and up to 2020,\r\nwhen new domains were allegedly used to target several Ukrainian and United Kingdom entities, such as the\r\nBritish Parliament and the Cambridge University.\r\nEmails associated with Korinets can be retrieved in historical WHOIS records and SSL certificates\r\nassociated with CALISTO infrastructure. It is worth mentioning that the same infrastructure was also used by\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 1 of 7\n\nKorinets to host his own websites, including online shops selling steroids, which matches its personal interests as\r\ndescribed in Reuters’ article. \r\nAccording to our contact, two email addresses ( nepkomi@gmail[.]com and yuuuka333@gmail[.]com) were\r\nallegedly owned and used by Korinets. \r\nSEKOIA.IO identified a technical link that connects the nepkomi@gmail[.]com to a known CALISTO\r\nphishing server ( 154.127.59[.]186) and another email address.\r\nEmail : vladimirdj90@gmail[.]com\r\nIn addition to the previous technical link with Korinets’ email address as shown above, we were able to find a\r\nsecond connection with vladimirdj90@gmail[.]com through a US public procedure related to TopCoin, a former\r\nand now shutdown crypto currency blockchain, accessible in open sources.\r\nGoogle result associating Korinets to vladimirdj90@gmail[.]com\r\nPivoting on this email, we were able to find an associated self-signed Vesta Control Panel SSL certificate (\r\ne7b0[…]168e), hosted on the IP address 86.110.117[.]172. This IP was resolved by the domains shared-docs[.]download and eu-office365[.]co which present the same pattern as recent CALISTO domains such as\r\neu-office365[.]com, registered under the name “ANDREY Korinets” based on an historical WHOIS record. \r\nOur investigation showed that vladimirdj90@gmail[.]com is also present in the WHOIS records of several\r\ndomains linked to the sale of anabolic and steroids, a Korinets personal interest, known CALISTO phishing\r\ndomains, as well as a possibly other phishing-related domains such as:\r\nqooqle-support-mail[.]pw *\r\nemailapp[.]pw *\r\nyahoomailfree[.]pw *\r\nsupport-gmail[.]pw *\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 2 of 7\n\nlive-login[.]info *\r\ngoogle-plus[.]top *\r\ngmail-techdoc[.]pw\r\nlogin-live[.]review *\r\nsupport-mail[.]top *\r\nukrnet[.]pw\r\nNote: Domains associated in open sources with former CALISTO activities have an asterisk.\r\nEmail : sykt.support@gmail[.]com\r\nIt is worth noting that the previous phishing-related domains were also related to the email address\r\nsykt.support@gmail[.]com, sykt standing for “Syktyvkar”, the Komi Republic capital from where Korinets is\r\nassessed to originate from. An individual with this email address shares the same city and password with another\r\nprofile linked to the email yuuuka333@gmail[.]com in a Russian social network dump, therefore SEKOIA.IO\r\nanalysts associate sykt.support@gmail[.]com to Andrey Korinets with medium confidence.\r\nBased on historical WHOIS database, this email is linked to 36 domains, several looking like phishing domains,\r\nsuch as:\r\nnode03-prevention-icloud[.]link *\r\nnode005-prevention-aol[.]link *\r\nsupport-mail[.]top *\r\nauthentification-request[.]top *\r\nyahoo2-srv[.]bid\r\nyahoo-user[.]bid\r\nsecure-icloud[.]accountant\r\nlogin-access[.]top *\r\ngmail-techdoc[.]pw\r\nsecure-store-lcloud[.]top *\r\nprevention-aol[.]top\r\nauth-login[.]top *\r\nhghshop[.]top\r\nplatforma[.]link *\r\nscreenname[.]click *\r\ngoogle-plus[.]top *\r\nsupport-gmail[.]pw *\r\nyahoomailfree[.]pw\r\nemailapp[.]pw *\r\nqooqle-support-mail[.]pw\r\nlive-login[.]info *\r\nlogin-live[.]review *\r\nukrnet[.]pw\r\nmusclepharm[.]top\r\nNote: Domains associated in open sources with former CALISTO activities have an asterisk.\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 3 of 7\n\nEmail : settings.personal@gmail[.]com\r\nThree of the previously mentioned phishing domain names (ukrnet[.]pw, support-gmail[.]pw, qooqle-support-mail[.]pw) resolved the IP address 37.1.206[.]114, which was resolved at the same time by another domain name\r\nlinked to another email address, namely icloud-service[.]pw and settings.personal@gmail[.]com. That last email\r\nsettings.personal@gmail[.]com was used from 2014 to 2017 for anabolic-related and phishing domains:\r\nanabol[.]in\r\nyahoocentermail[.]info *\r\nlogin-live-com[.]pw *\r\nukroboronprom[.]pw\r\nicloud-service[.]pw *\r\nscreenname-aol[.]pw *\r\nmassa[.]pw\r\naccounts-mail[.]asia *\r\nservice-mail[.]asia *\r\nNote: Domains associated in open sources with former CALISTO activities have an asterisk.\r\nIn this domain list, it is interesting to point ukroboronprom[.]pw, which typosquats Ukroboronprom\r\n(Укроборонпром), a conglomerate of Ukrainian defense industries. This domain is the first associated with a\r\npotential high profile targeting originating from this infrastructure cluster.\r\nAnother interesting domain name is screenname-aol[.]pw, which was resolving the IP address 139.162.145[.]184,\r\nresolved by several domains associated to Korinets online steroids shop activities based on their historical WHOIS\r\nrecords, such as muscle[.]ovh and ukrpharma[.]ovh.\r\nRegistrant Name: Korinets Andrey\r\nRegistrant Street: muscle.ovh, office #8930945\r\nRegistrant Street: c/o Owo, Bp80157\r\nRegistrant City: Roubaix Cedex 1\r\nRegistrant Postal Code: 59053\r\nRegistrant Country: FR\r\nRegistrant Phone: +33.899498765\r\nRegistrant Email: y8j4po1ih74l9akzmkq8@r.o-w-o.info\r\nInfrastructure pivoting allowed us to swing from 139.162.145[.]184 to 95.213.194[.]163, both resolved the\r\npreviously mentioned musclepharm[.]top, which brings us to another phishing domain drive-meet-goodle[.]ru.\r\nEmail: usa42014@yandex[.]ru\r\nThe previous IP addresses 139.162.145[.]184 and 95.213.194[.]163 have two distinct self-signed SSL certificates\r\n(0641[…]2299 – associated to the domain musclepharm[.]top and d68c[…]7393 – associated to the domain drive-meet-goodle[.]ru), both containing the email address usa42014@yandex[.]ru.\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 4 of 7\n\nSEKOIA.IO analysts link the email address usa42014@yandex[.]ru to Andrey Korinets activities with medium\r\nconfidence as this email replaced the email yuuuka333@gmail[.]com in the WHOIS record of be-strong[.]org.\r\ndrive-meet-goodle[.]ru is one of the IoCs published by F-Secure in 2017.\r\nFour other certificates show ties with usa42014@yandex[.]ru. A first Vesta control panel self signed certificate\r\n(8efb[…]a7f4) is associated with the already-listed domain live-login[.]info. It was present on the IP address\r\n185.72.179[.]132, resolved by live-login[.]info between 2015-12-19 and 2016-03-25.\r\nA second certificate (994a[…]1c30) is associated with the domain name expert-service[.]tech and was present on\r\nthe IP address 185.212.128[.]28. This IP address was resolved between 2019-01-10 and 2019-11-04 by two\r\ndomains looking like phishing domains, such as yamail[.]press and drive-aoi[.]icu.\r\nA third certificate (d3f1[…]593c) linked to usa42014@yandex[.]ru was on the IP addresses 158.69.149[.]52 and\r\n185.99.134[.]22, both resolved by several phishing domains in 2019, such as:\r\noffice-356pro[.]pw\r\nen-office365[.]club\r\nfile-sharing[.]online\r\nfile-sharing[.]site\r\nen-microsofl[.]live\r\nonline-1drv[.]world\r\nEmail: mewimoge1973@rambler[.]ru\r\nThe email address mewimoge1973@rambler[.]ru is quite interesting as it is associated to another certificate\r\n(fd21[…]3b61) linked to the IP address 95.171.17[.]36 and the domain name serv[.]safe-redirect[.]in.net. The IP\r\naddress 95.171.17[.]36 was resolved in 2020 by two domain names (safe-redirect[.]in.net, online-redirect[.]site),\r\nand dozens of their subdomains, targeting onlines services as well as the UK Parliament and the Cambridge\r\nUniversity. \r\nOnly a little information from open source can link the email address mewimoge1973@rambler[.]ru to a clear\r\nidentity. This email address is present on several Russian offers websites in the Komi region of which Korinets is\r\nassessed to originate from, but without a good visibility on the real owner identity.\r\nKorinets, a simple hoster or more than that?\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 5 of 7\n\nWith this infrastructure investigation, we demonstrated that a Russian individual, whose name was disclosed by\r\nReuters, did in fact register phishing domains used by the CALISTO intrusion set to conduct at least a phishing\r\ncampaign targeting UK entities, including the Parliament. \r\nAs we described in our last blogpost, SEKOIA.IO assess that CALISTO contributes to Russian intelligence\r\nefforts to support Moscow’s strategic interests, as now confirmed by western intelligence services.\r\nQuestions now arise whether Korinets knew he was colluding with Calisto operators and/or with Russian\r\nintelligence. If so, his precise role remains unclear as SEKOIA.IO does not have technical evidence to assess it. \r\nBased on open source information we could gather about that individual, it seems that domain registration was\r\none of its main skills, plausibly used by Russian intelligence, either directly or through a contractor relationship.\r\nKorinets – CALISTO relation may have ended in 2020, as SEKOIA.IO did not find any technical links afterwards.\r\nThis may as well be due to a lack of visibility.\r\nAll indicators found during our investigation are available on our public Github page.\r\nExternal references\r\n[1] https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf. Accessed on 13th\r\ndecember, 2023.\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nFeel free to read other TDR analysis here :\r\nAPT calisto FSB Korinets Star Blizzard\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 6 of 7\n\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat\r\nIntelligence, including fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also\r\nresponsible for producing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules\r\ncatalogue. TDR is a team of multidisciplinary and passionate cybersecurity experts, including security researchers,\r\ndetection engineers, reverse engineers, and technical and strategic threat intelligence analysts. Threat Intelligence\r\nanalysts and researchers are looking at state-sponsored \u0026 cybercrime threats from a strategic to a technical\r\nperspective to track, hunt and detect adversaries. Detection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited by adversaries. TDR experts regularly share their\r\nanalysis and discoveries with the community through our research blog, GitHub repository or X / Twitter account.\r\nYou may also come across some of our analysts and experts at international conferences (such as BotConf, Virus\r\nBulletin, CoRIIN and many others), where they present the results of their research work and investigations.\r\nShare this post:\r\nSource: https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nhttps://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/" ], "report_names": [ "calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27cbadd31eb0ced14e6c5cd0baabebaf487e7eef.pdf", "text": "https://archive.orkl.eu/27cbadd31eb0ced14e6c5cd0baabebaf487e7eef.txt", "img": "https://archive.orkl.eu/27cbadd31eb0ced14e6c5cd0baabebaf487e7eef.jpg" } }