{ "id": "82cb25af-4e13-4980-82e2-d422af59faa1", "created_at": "2026-04-06T00:18:21.651859Z", "updated_at": "2026-04-10T03:35:41.816143Z", "deleted_at": null, "sha1_hash": "2b578ce6513e84e68a28f754cc5006de7ff05e80", "title": "RCS Galileo - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45831, "plain_text": "RCS Galileo - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 14:33:12 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool RCS Galileo\r\n Tool: RCS Galileo\r\nNames RCS Galileo\r\nCategory Malware\r\nType Backdoor, Info stealer\r\nDescription\r\n(F-Secure) In all known malicious attachments, the final payload was a variant of the “Scout”\r\ntool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.\r\nHackingTeam is an Italian software company that created RCS, which they describe as “the\r\nhacking suite for governmental interception”. In July 2015, news emerged that HackingTeam\r\nhad been breached. One of the consequences of this incident was the then latest version of\r\nRCS Galileo being leaked to the public.\r\nAs a result of the leak, both the source code and the ready-made installers for the RCS\r\nplatform were made available for anyone to use. Based on our analysis of Callisto Group’s\r\nusage of RCS Galileo, we believe the Callisto Group did not utilize the leaked RCS Galileo\r\nsource code, but rather used the leaked ready-made installers to set up their own installation of\r\nthe RCS Galileo platform. The process for using the leaked installers to set up an RCS Galileo\r\ninstallation has been described online in publicly available blogposts, making the process\r\ntrivial to achieve.\r\nInformation \u003chttps://www.f-secure.com/documents/996508/1030745/callisto-group\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool RCS Galileo\r\nChanged Name Country Observed\r\nAPT groups\r\n  Callisto Group [Unknown] 2013  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5a23a112-d52e-4a02-83b1-ffb2fd8ddc3e\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5a23a112-d52e-4a02-83b1-ffb2fd8ddc3e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5a23a112-d52e-4a02-83b1-ffb2fd8ddc3e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=5a23a112-d52e-4a02-83b1-ffb2fd8ddc3e" ], "report_names": [ "listgroups.cgi?u=5a23a112-d52e-4a02-83b1-ffb2fd8ddc3e" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434701, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b578ce6513e84e68a28f754cc5006de7ff05e80.pdf", "text": "https://archive.orkl.eu/2b578ce6513e84e68a28f754cc5006de7ff05e80.txt", "img": "https://archive.orkl.eu/2b578ce6513e84e68a28f754cc5006de7ff05e80.jpg" } }