{ "id": "bb5b94b3-0259-4c36-a17b-98b29277f6f3", "created_at": "2026-04-06T00:13:26.534788Z", "updated_at": "2026-04-10T13:13:03.196523Z", "deleted_at": null, "sha1_hash": "320934ef179ba766d11a1c48c09747ee227ed48c", "title": "Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2078297, "plain_text": "Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived\r\nEnemies Around the Globe - The Citizen Lab\r\nArchived: 2026-04-05 17:33:22 UTC\r\nSummary\r\nA sophisticated spear phishing campaign has been targeting Western and Russian civil society.\r\nThis campaign, which we have investigated in collaboration with Access Now and with the participation of numerous\r\ncivil society organizations including First Department, Arjuna Team, and RESIDENT.ngo, engages targets with\r\npersonalized and highly-plausible social engineering in an attempt to gain access to their online accounts.\r\nWe attribute this campaign to COLDRIVER (also known as Star Blizzard, Callisto and other designations). This\r\nthreat actor is attributed to the Russian Federal Security Service (FSB) by multiple governments.\r\nWe identified a second threat actor targeting similar communities, whom we name COLDWASTREL. We assess that\r\nthis actor is distinct from COLDRIVER, and that the targeting that we have observed aligns with the interests of the\r\nRussian government.\r\nThe Citizen Lab is sharing all indicators with major email providers to assist them in tracking and blocking these\r\ncampaigns.\r\nClick here to read the Access Now Report and the Access Now Helpline Technical Brief.\r\n1. River of Phish: Campaign Overview\r\nOur collaborative investigation with Access Now, with the assistance of multiple additional civil society organizations\r\nincluding First Department, Arjuna Team, and RESIDENT.ngo, has identified digital targeting using sophisticated spear\r\nphishing by this threat actor across multiple countries and sectors within civil society.\r\nObserved Targets\r\nThe targets range from prominent Russian opposition figures-in-exile to staff at nongovernmental organizations in the US\r\nand Europe, funders, and media organizations. A focus on Russia, Ukraine, or Belarus is a common thread running through\r\nall of the cases. Some of the targets still live and work in Russia, placing them at considerable risk. Almost all targets that\r\nspoke with us and our investigative partner, Access Now, have chosen to remain unnamed and, for their privacy and safety,\r\nwe are only including indicators from a limited selection of the cases that we have examined.\r\nPolina Machold, Publisher of Proekt Media is among the targets, and we observed the attackers masquerading as an\r\nindividual known to her. Proekt conducts high profile investigative reporting into official corruption and abuses of power in\r\nRussia. They are well known for high-profile reporting on Vladimir Putin, Ramzan Kadyrov, and other highly-placed\r\nRussian officials. Soon after their reporting into Russia’s interior minister in 2021, they were declared an “undesirable\r\norganization” by the Russian Government.\r\nWe have also observed targeting of former officials and academics in the US think tank and policy space. For example,\r\nformer US Ambassador to Ukraine, Steven Pifer was targeted with a highly-credible approach impersonating someone\r\nknown to him: a fellow former US Ambassador.\r\nWe judge that these targets may have been selected for their extensive networks among sensitive communities, such as high-risk individuals within Russia. For some, successful compromise could result in extremely serious consequences, such as\r\nimprisonment or physical harm to themselves or their contacts.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 1 of 20\n\nImportantly, we suspect that the total pool of targets is likely much larger than the civil society groups whose cases we have\r\nanalyzed. We have observed US government personnel impersonated as part of this campaign, and given prior reporting\r\nabout COLDRIVER’s targeting, we expect the US government remains a target.\r\nTypical Attack Flow: A Credible, Personalized Approach\r\nThe most common tactic we have observed is for the threat actor to initiate an email exchange with the target masquerading\r\nas someone known to them. This tactic includes masquerading as colleagues, funders, and US government employees.\r\nTypically, the messages contain text requesting that the recipient review a document relevant to their work, such as a grant\r\nproposal or an article draft.\r\nIn some cases, we have observed additional communication by the threat actor preceding or following the targeting message.\r\nOften highly and effectively personalized, this communication illustrates the depth of the threat actors’ understanding of the\r\ntargets. Multiple targets believed that they were exchanging emails with a real person.\r\nWe often observed the attacker omitting to attach a PDF file to the initial message requesting a review of the “attached” file.\r\nWe believe this was intentional, and intended to increase the credibility of the communication, reduce the risk of detection,\r\nand select only for targets that replied to the initial approach (e.g. pointing out the lack of an attachment).\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 2 of 20\n\nThe email message typically contains an attached PDF file purported to be encrypted or “protected,” using a privacy-focused\r\nonline service such as ProtonDrive, for example. In fact, this is a ruse. When opened, the PDF displays what appears to be\r\nblurred text along with a link to “decrypt” or access the file. Actual ProtonDrive encryption looks substantially different\r\nfrom the River of Phish lures, suggesting that the attackers are relying on a general lack of awareness of what secure and\r\nencrypted document sharing looks like. In other cases, the blurred PDF includes text saying that a preview is not available,\r\nagain soliciting a click.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 3 of 20\n\nWhile typical attacks were limited to a PDF, we also observed a few cases in which the attackers also sent an email crafted\r\nto appear as a document share, with the phishing link directly embedded in the email message. When one such case\r\nseemingly failed to generate a successful compromise, the attackers followed up with a PDF.\r\nIn some cases, the attackers followed up with targets that failed to enter their credentials with multiple messages asking if\r\nthey had seen or “reviewed” the material. This approach, again, suggests a high degree of focus on particular targets.\r\nIf the Target Clicks\r\nIf the target clicks on the link, their browser will fetch JavaScript code from the attacker’s server that computes a fingerprint\r\nof the target’s system and submits it to the server (see: Target Fingerprinting). If the server elects to proceed with the attack,\r\nthe server will return a URL, and the JavaScript code running in the target’s browser will redirect the target there. If the\r\nserver chooses, a CAPTCHA (from hCaptcha) may be shown to the user prior to any redirect. The URL to which the target\r\nis redirected is typically a webpage crafted by the attacker to look like a genuine login page for the target’s email service\r\n(e.g. Gmail or ProtonMail).\r\nThe login page may be pre-populated with the target’s email address to mimic the legitimate login page. If the target enters\r\ntheir password and two-factor code into the form, these items will be sent to the attacker who will use them to complete the\r\nlogin and obtain a session cookie for the target’s account. This cookie allows the attacker to access the target’s email account\r\nas if they were the target themselves. The attacker can continue to use this token for some time without re-authenticating.\r\nThe use of a credible email ruse plus a PDF containing a phishing link is a favorite technique of multiple threat actors.\r\nNotably, PDF viewers built into webmail services like Gmail allow the recipient to click on hyperlinks within a PDF, and\r\nthus do not impede this attack.\r\n2. River of Phish Campaign Infrastructure\r\nFirst-Stage Domains\r\nThe first-stage infrastructure for this campaign involves phishing links embedded in the delivered PDFs, or sent in emails\r\ncrafted to appear as document shares. The attackers typically register the domains and host the websites using Hostinger.\r\nDomains registered with Hostinger are hosted on shared servers which rotate IP addresses approximately every 24 hours,\r\nmaking the campaign more difficult to track. We did not identify any cases where a domain was operationally used within\r\n30 days of its registration. This is a possible attempt to avoid being blocked by detection rules aimed at flagging emails or\r\nattachments with hyperlinks containing a recently registered domain.\r\nDomain Registration Date Date of Phishing Email Registrar TLS Issuer\r\nithostprotocol[.]com 2024-01-16 2024-02-20 NameCheap cPanel\r\nxsltweemat[.]org 2024-03-14 2024-04-12 Hostinger Let’s Encrypt\r\neilatocare[.]com 2024-04-09 2024-05-29 Hostinger Let’s Encrypt\r\negenre[.]net 2024-05-19 2024-06-19 Hostinger Let’s Encrypt\r\nesestacey[.]net 2024-05-19 2024-06-19 Hostinger ZeroSSL\r\nideaspire[.]net 2024-05-20 2024-06-24 Hostinger Let’s Encrypt\r\nTable 1\r\nExamples of first-stage domains used in this campaign.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 4 of 20\n\nIf the target clicks on the link in the PDF, the attack moves onto the next stage, which involves fingerprinting the user’s\r\nsystem.\r\nTarget Fingerprinting\r\nEach first-stage domain runs JavaScript code to fingerprint the target’s browser and returns the fingerprint to the server,\r\nwhich decides how to proceed. Because we cannot see the server’s code, we are not fully sure what the purpose of the\r\nfingerprinting is. However, because the server can elect to show a CAPTCHA to the target, we presume that the purpose of\r\nthe fingerprinting may be to prevent certain automated tools from obtaining or analyzing the second-stage infrastructure,\r\nwhich contains the phishing page.\r\nWe did not directly observe the second stage of the attack or the credentials being passed back to the attacker’s\r\ninfrastructure; however, based on the targets’ descriptions of the login page it is likely that the attackers leveraged a tool that\r\nis specifically designed to capture user credentials and enable unauthorized access, such as Evilginx or another phishing\r\nplatform. We note that COLDRIVER has been observed using Evilginx in recent cases.\r\nOur investigative partner, Access Now, has included a description of the fingerprinting code in their Technical Brief. The\r\nfingerprinting code was obfuscated using the Hunter PHP Javascript Obfuscator, a tool that is publicly available on GitHub.\r\nFrequent Metadata Overlaps Across PDFs\r\nPDFs associated with this campaign share consistent characteristics, including the location and formatting of the malicious\r\nlink within the PDF, the PDF metadata, and the use of a fake English-language name that is different in each case for the\r\nPDF author. Based on the names identified in the PDFs, it appears that a name list such as this one or this one was used in\r\nthe generation of these names.\r\nThe chart below includes metadata from some PDFs that were shared directly with The Citizen Lab and Access Now.\r\nA Selection of PDFs from the River of Phish Campaign\r\nSHA256\r\nAuthor\r\nName\r\nProducer Language\r\nb07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d\r\nGracelyn\r\nReilly\r\nLibreOffice\r\n7.0\r\nen-US\r\n0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88\r\nTalon\r\nBlackburn\r\nLibreOffice\r\n7.0\r\nen-US\r\nefa2fd8f8808164d6986aedd6c8b45bb83edd70ca4e80d7ff563a3fbc05eab89\r\nHoward\r\nHowe\r\nLibreOffice\r\n7.0\r\nen-US\r\n384d3027d92c13da55ceef9a375e8887d908fd54013f49167946e1791730ba22\r\nAnnabelle\r\nKline\r\nLibreOffice\r\n7.0\r\nen-US\r\n00664f72386b256d74176aacbe6d1d6f6dd515dd4b2fcb955f5e0f6f92fa078e\r\nPaulina\r\nMullen\r\nLibreOffice\r\n7.0\r\nen-US\r\n79f93e57ad6be28aae62d14135140289f09f86d3a093551bd234adc0021bb827\r\nEmery\r\nHogan\r\nLibreOffice\r\n7.0\r\nen-US\r\nTable 2\r\nExamples of metadata details on malicious PDFs.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 5 of 20\n\nTarget Phishing\r\nIn the cases we analyzed as part of this particular campaign, user credentials and associated two-factor authentication (2FA)\r\ntokens appear to be the primary targets of this phase of attack. We did not find any spyware delivered to target devices as\r\npart of this particular campaign. The focus on account access simplifies the attack infrastructure that is needed, as the\r\nattackers do not need to gain persistence or establish ongoing communications with the target’s machine. It is important to\r\nnote that the individuals and organizations targeted in this campaign likely face additional threats, such as spyware attacks\r\n(See here, for example).\r\nIn January of 2024, Google’s Threat Analysis Group (TAG) reported on a custom malware backdoor called SPICA, which\r\nthey assessed was the first known case of COLDRIVER developing and deploying custom malware. Similarly, we believe\r\nsome of the targets who shared files with us may be regularly targeted by multiple threat actors and using multiple Tactics,\r\nTechniques, and Procedures (TTPs). While this particular campaign did not leverage malware, we encourage human rights\r\ndefenders, dissidents, journalists, and other members of civil society that may be targeted by Russian authorities to exercise\r\nextreme vigilance and contact experts such as Access Now’s Digital Security Helpline for help. We provide tips on how to\r\nidentify suspicious communications below (See: Protect Yourself \u0026 Your Colleagues).\r\n3. River of Phish: COLDRIVER Attribution\r\nCOLDRIVER is a Russia-based threat group attributed by several governments to be subordinate to the Russian Federal\r\nSecurity Service (FSB) Centre 18 (See: The Russian Cyber Espionage Landscape, below). They have been active since at\r\nleast 2019, possibly earlier, and their tactics primarily include very-involved social engineering and persona development.\r\nThese personas are typically used to trick the target into visiting a malicious link, leading to the theft of their credentials, the\r\nbypassing of 2FA, and access to the target’s information. This group has targeted widely in a pattern that aligns with Russian\r\nstate interests, including targeting academia, NGOs, government institutions, and think tanks.\r\nSelected Prior Reporting on COLDRIVER\r\nPrior reporting on COLDRIVER describes strikingly similar tactics to the ones we see in this campaign. In 2017,\r\ncybersecurity firm F-Secure reported on the activities of a group they tracked as “Callisto group”, writing that they had\r\ntracked them since 2015. Their research highlighted the group’s use of spear phishing to target “military personnel,\r\ngovernment officials, think tanks and journalists.” The attackers frequently impersonated legitimate websites and email\r\naddresses to trick targets into providing their credentials. At the time, F-Secure did not publicly attribute the group.\r\nCompany Name Assigned\r\nF-Secure Callisto group\r\nMicrosoft Star Blizzard / SEABORGIUM\r\nGoogle TAG COLDRIVER\r\nPWC Blue Callisto\r\nProofpoint TA446\r\nSekoia Calisto\r\nRecorded Future Blue Charlie\r\nMandiant UNC4057\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 6 of 20\n\nTable 3\r\nOne Threat Actor, Many Codenames.\r\nIn 2022, Microsoft reported on the group, which they track as Star Blizzard (previously SEABORGIUM). Google’s Threat\r\nAssessment Group (TAG) reported on them as COLDRIVER, PWC reported on them as Blue Callisto, Proofpoint reported\r\non them as TA446, Sekoia reported on them as Calisto, and Recorded Future reports on them as Blue Charlie. All research\r\nteams described similar tactics: elaborate spear phishing campaigns impersonating individuals known to the targets with the\r\ngoal of stealing credentials to accounts and accessing sensitive information. In 2022, attribution was typically framed as “a\r\nlikely Russia-based actor.”\r\nAttribution of COLDRIVER to the FSB in a Joint Governmental Advisory\r\nIn December 2023, government agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States\r\nissued a joint cybersecurity advisory detailing the activities of COLDRIVER. The advisory attributed the group to the FSB’s\r\nCentre 18. The advisory notes that COLDRIVER’s targets include “academia, defense, governmental organizations, NGOs,\r\nthink tanks and politicians.” The TTPs outlined in the advisory include extended target reconnaissance, the use of fake email\r\nand social media accounts, preference to target personal emails, the use of conference or event invitations as lures, the use of\r\nmalicious domains impersonating legitimate organizations and more.\r\nAttributing The River of Phish Campaign to COLDRIVER\r\nMultiple TTPs and targeting from the River of Phish campaign closely align with public reporting on COLDRIVER.\r\nHowever, some of COLDRIVER’s tactics (like lures using “encrypted” documents) share certain similarities with other\r\nthreat actors. To increase our confidence, we sought to ensure that the River of Phish campaign matches multiple other\r\nresearch groups’ COLDRIVER attribution. To that end, we approached Microsoft MSTIC, Proofpoint, and PwC, among\r\nothers. Materials they shared enabled us to identify multiple direct overlaps between the River of Phish campaign and\r\nCOLDRIVER. Finally, each independently confirmed that the activity we identified matched their own tracking of\r\nCOLDRIVER. Together, this information suggests that the River of Phish campaign is attributable to the threat actor\r\nidentified as COLDRIVER.\r\nRiver of Phish Sample Overlap with Known COLDRIVER Campaigns\r\nProofpoint shared several publicly-available PDFs (on VirusTotal) with us that they attribute to COLDRIVER. Examination\r\nof these PDFs yielded multiple critical overlaps with the River of Phish campaign including: (a) matching bait PDF\r\ndocument structure and metadata and (b) overlapping phishing infrastructure.\r\nLike the River of Phish (“RoP”) PDFs (See: Table 2 above), those shared by Proofpoint included identical LibreOffice\r\nversions, seemingly-randomized author names, and en-US language settings.\r\nPublicly-Available PDFs identified by Proofpoint as COLDRIVER\r\nc1fa7cd73a14946fc760a54ebd0c853fab24a080cbf6b8460a949f28801e16fc\r\nAlexis\r\nHill\r\nLibreOffice\r\n7.0\r\nen-US\r\n603221a64f2843674ad968970365f182c228b7219b32ab3777c265804ef67b0a\r\nCarley\r\nRivers\r\nLibreOffice\r\n7.0\r\nen-US\r\ndf9d77f3e608c92ef899e5acd1d65d87ce2fdb9aab63bbf58e63e6fd6c768ac3\r\nHaylie\r\nWolf\r\nLibreOffice\r\n7.0\r\nen-US\r\nTable 4\r\nPublicly-available COLDRIVER PDFs.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 7 of 20\n\nIn addition to the PDF document metadata overlap, we observed substantial visual and content similarities in the PDFs. For\r\nexample, RoP Example 1 shares bait text with this COLDRIVER-attributed text, and RoP Example 2 includes a variant on\r\nthe filename used in the COLDRIVER-attributed PDF (See: Figure 2).\r\nPhishing Infrastructure Overlaps\r\nIn addition to the highly similar PDF content, phishing infrastructure linked from RoP bait PDFs showed substantial\r\noverlaps between the RoP campaign and COLDRIVER. The COLDRIVER-attributed PDFs contained links to multiple\r\nphishing domains (For example, See: Table 5).\r\nDomain Registration Date Registrar TLS Issuer\r\ntogochecklist[.]com 2023-08-28 NameCheap Let’s Encrypt\r\nvocabpaper[.]com 2024-03-15 Hostinger Let’s Encrypt\r\nmatalangit[.]org 2024-05-07 Hostinger ZeroSSL\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 8 of 20\n\nTable 5\r\nDomain registration patterns and TLS issuers for known COLDRIVER PDFs.\r\nThe COLDRIVER phishing domain registration patterns exhibited similar characteristics to the ones we identified, such as\r\nregistration using Hostinger and TLS certificates issued by Let’s Encrypt or ZeroSSL.\r\nArtifact River of Phish COLDRIVER\r\nDomain Registrars Namecheap, Hostinger Namecheap, Hostinger, others\r\nTLS Certificate Issuers ZeroSSL, Let’s Encrypt ZeroSSL, Let’s Encrypt, others\r\nTable 6\r\nComparing River of Phish and COLDRIVER domain registrars and TLS issuers.\r\nIn addition, reporting shared by PwC detailed recent COLDRIVER activity and validated our attribution of both PDFs and\r\ndomains from this campaign.\r\nAdditional TTP Overlap with Prior Public Reporting on COLDRIVER\r\nAdditionally, we noted that River of Phish employed a number of known TTPs of COLDRIVER.\r\nThe social engineering and spear-phishing delivery methodology remained consistent across past COLDRIVER activity and\r\nthe current campaign we are tracking. These methods include:\r\nImpersonating a known individual by setting up a Proton Mail account using their name;\r\nUsing information gained through reconnaissance to tailor the message in the initial email to make it look more\r\nauthentic;\r\nEmploying language indicating a desire to collaborate on a shared area of interest; and\r\nUsing a fake password protected/encrypted PDF with the content blurred in the preview.\r\nIn one case, a RoP PDF features the text “Hmm… looks like this file doesn’t have a preview we can show you” (an error\r\nmessage shown by multiple Microsoft services when a file is not previewable) and a 2023 PDF from COLDRIVER features\r\nthe identical text (Figure 4).\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 9 of 20\n\nFinally, a PDF sent to one of the targets we examined contains multiple RoP elements, as well as an additional element\r\npreviously associated with COLDRIVER. Specifically, the PDF contained an embedded link using a Customer Relationship\r\nManagement (CRM) service previously reported as used by COLDRIVER, not a direct link to actor-registered\r\ninfrastructure.  In almost all other aspects, the document matched the RoP campaign. The PDF was sent in March 2024 and\r\nnamed “RS_version 1.3.pdf”. The email sender masqueraded as a retired US official seeking comment on a report on\r\nUkraine. Language in the email describing a purported report and requesting a review was identical to other RoP emails. The\r\nattached PDF matched all RoP metadata, and the name used variants on “RS” and “Draft 1.3” naming observed in multiple\r\nRoP PDFs (See: Figure 2). However, unlike the other PDFs that included a direct link to a first-stage domain, this file\r\nincluded a link through HubSpot, a CRM provider.\r\ndj-kqf04.eu1.hubspotlinksfree[.]com/Ctc…\r\nIn 2023 Microsoft identified COLDRIVER as a HubSpot user, and specifically noted the practice of embedding HubSpot\r\ndomains in the targeting PDF in an attempt to evade detection.\r\nRiver of Phish: Signs of Continued Evolution?\r\nIn addition to the previous use of HubSpot, earlier COLDRIVER reporting mentioned clusters of domains named around a\r\nparticular theme or service being impersonated, such as proton-docs[.]com, proton-reader[.]com, and proton-viewer[.]com\r\nreported by Microsoft in 2022. However both Microsoft and Recorded Future noted that COLDRIVER appeared to be using\r\na “more randomized” domain generation mechanism starting in 2023, suggesting adaptation to previous detection\r\ntechniques, and an effort to hide targets. RoP first-stage infrastructure did not include any themes in domain naming,\r\nhowever we note that our report focuses specifically on civil society clusters and thus it is possible that COLDRIVER is\r\nusing other domain naming schemas against other targets.\r\nPrevious reporting also identified COLDRIVER domains registered through Namecheap. During this campaign we observed\r\nthat the domain registrar of choice changed to Hostinger sometime between January and March of 2024. PwC reporting\r\nhighlighted that COLDRIVER has previously used Hostinger as a registrar in 2022, however more evidence is needed to\r\ndetermine whether this is a change that will persist across future COLDRIVER activity.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 10 of 20\n\nIn addition to the analysis in this section, we have also developed a YARA rule (See: Appendix) that will assist other\r\nresearchers in identifying other PDF files likely attributable to River of Phish / COLDRIVER.\r\n4. COLDWASTREL: A New Threat Actor Surfaces?\r\nIn March 2023, our investigative partner Access Now began receiving cases of personalized phishing. The first were shared\r\nby the Russian human rights organization First Department. Access Now shared the cases with The Citizen Lab.\r\nSuperficially, the messages had much in common with COLDRIVER. For example, the attacker sent PDF attachments with\r\nreferences to ProtonMail and ProtonDrive designed to trick targets into clicking on a link. However, close analysis revealed\r\nnumerous differences, ultimately leading us to conclude that these were the work of a separate threat actor.\r\nConsistent Differences Between Bait PDFs\r\nThis campaign deviates in several important aspects from COLDRIVER, such as the characteristics of the malicious PDF\r\n(see Table 7) and front-end infrastructure. At this time, we assess that this activity cluster is not the work of the\r\nCOLDRIVER operator and warrants further investigation.\r\n  COLDRIVER COLDWASTREL\r\nPDF Version 1.4 1.5\r\nPDF\r\nLanguage\r\nen-US ru-RU\r\nPDF Author Plausible-yet-obscure English language names “User”\r\nLinks in\r\nPDF\r\nUnique to each PDF\r\nConsistent across multiple\r\ntargets\r\nLinks in\r\nPDF\r\nRedirected to fingerprint, then to separate domain/site to\r\ngather credentials\r\nHosted the phishing kit\r\ndirectly.\r\nTable 7\r\nOverview of differences in the PDFs and infrastructure between two campaigns that shared similarities in\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 11 of 20\n\nsocial engineering and credential harvesting.\r\nOur colleagues at Access Now have identified an additional COLDWASTREL PDF on VirusTotal which we include here to\r\nassist other researchers in pursuing this threat actor.\r\nCOLDWASTREL PDF on VirusTotal\r\n4a9a2c2926b7b8e388984d38cb9e259fb4060cccc2d291c7910be030ae5301a3\r\nInfrastructure Differences\r\nIn addition to the differences in the PDF content and metadata, there were several other notable differences between the two\r\nattacks:\r\nAll pre-2024 COLDWASTREL PDFs contained a link to the same domain, protondrive[.]online. This tactic deviates\r\nfrom the COLDRIVER activity that we investigated, which seemed to use a different domain for each PDF, without\r\nmaking use of a lookalike domain.\r\nThe domain protondrive[.]online also differs from the infrastructure seen with COLDRIVER. The domain was\r\nregistered through URL Solutions Inc, which deviates from the RoP/COLDRIVER TTPs described above.\r\nTogether with Access Now, we are referring to this operator as COLDWASTREL. We hope that other research teams will be\r\nable to advance this investigation further using indicators provided in Access Now’s report. While we are not attributing this\r\ncampaign, and have only a limited number of targets, we note that the COLDWASTREL targeting that we have observed\r\ndoes appear to align with the interests of the Russian government.\r\nFresh COLDWASTREL?\r\nShortly prior to publication of this report, we have tentatively identified what appears to be renewed COLDWASTREL\r\ntargeting, based on TTPs, targeting overlap and infrastructure similarity. In this attack, the decoy PDF included the domain\r\nprotondrive[.]me which, when clicked, redirected to phishing hosted at protondrive[.]services.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 12 of 20\n\n5. Why Do Some Governments Still Phish?\r\nGovernmental threat actors, including in states that possess a high degree of technical competency (e.g. reserves of zero-day\r\nexploits), continue to phish because personalized phishing still works. When the cost of discovery remains low, phishing\r\nremains not only an effective technique, but a way to continue global targeting while avoiding exposing more sophisticated\r\n(and expensive) capabilities to discovery.\r\nThreat actors like the FSB are equipped with substantial intelligence gathering and analytical capabilities. They possess a\r\ndetailed window into potential targets’ relationships and work activities which enables operators to craft very credible\r\nphishing lures. Research shows that phishing leveraging personal information has a much higher probability of success, and\r\nwe speculate that a mature phishing campaign against a longstanding target benefits from a positive feedback loop in which\r\nmore cycles of phishing yield ever-more detailed information that can be used to create increasingly convincing lures for\r\nfuture victims.\r\nWhere we do see evolution and tactical cleverness from COLDRIVER, it remains just enough to bypass certain modes of\r\ndiscovery. For example, in the River of Phish campaign, we see a wide range of paired sender names, domains, and PDF\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 13 of 20\n\nmetadata. It is possible that these pairings are each used for only a very small number of targets. This approach may indicate\r\nefforts to evade detection by popular email platforms.\r\nAs platform and endpoint security continues to thwart attacks, attackers must rely on increasingly sophisticated social\r\nengineering that can be hard to distinguish from normal communications. Confirming the authenticity of the message and\r\nsender will protect both parties, and is well worth the extra time and effort. As COLDRIVER’s operators must know, this is\r\nnot a practical action for every message.\r\nSmash \u0026 Grab Phishing?\r\nNumerous features of COLDRIVER’s activities increase the chance of a successful compromise while also increasing the\r\nchance that a sophisticated target or analyst will identify the communications as malicious.\r\nFor example, impersonating an individual known to the target increases the likelihood of discovery because the target can\r\nusually contact the impersonated individual to inquire whether the communication is authentic. This chance of discovery is\r\ncompounded by the use of a bait document ruse that is also likely to lead to puzzled victims, reports, and eventual discovery.\r\nThis sort of social engineering tactic is well suited to a persistent adversary that does not face reputational or criminal\r\npenalties from discovery. For example, the operators of COLDRIVER presumably enjoy the protection of the Russian\r\ngovernment, and know better than to schedule a holiday at Disney World in Florida.\r\nWhile the volume of past reporting on COLDRIVER has probably disrupted specific campaigns, it is unlikely to put a stop\r\nto their activity. Indeed, we see evidence that the operator makes minimal changes in their tactics in response to disruptions.\r\nSuch changes buy them a modest window of time to continue targeting even though a degree of discovery, including further\r\nexposure by researchers and even governments, remains inevitable.\r\n6. The Russian Cyber Espionage Landscape\r\nRussia has a long history of espionage that reaches back to pre-Soviet times, and has engaged in cyber espionage campaigns\r\nand active cyber operations for decades. These operations have been extensively studied by academics, civil society\r\norganizations, journalists, governments and the commercial cybersecurity community. Generally, Russian cyber espionage\r\nand active cyber operations are undertaken independently by multiple (and sometimes competing) state security agencies,\r\noccasionally with the participation of organized criminal groups or other private sector entities (e.g., NTC Vulkan,\r\nRomCom, Cadet Blizzard).\r\nThere are several Russian and Russian-aligned entities that undertake or are responsible for cyber espionage (see here).\r\nRussia’s foreign intelligence service, the SVR (Sluzhba Vneshney Razvedki), is responsible for foreign intelligence gathering\r\nand is generally known for long-term espionage campaigns such as those publicly referred to as APT29, “Cozy Bear” or\r\n“The Dukes.” SVR-linked campaigns have typically involved accessing credentials of targeted entities through password\r\nspraying, brute forcing, and other means of accessing cloud and other accounts.\r\nRussia’s main intelligence directorate of the armed forces, the GRU, is associated with cyber espionage and cyberwarfare\r\noperations designated as APT28, Fancy Bear, and Sandworm, and has been linked to DDoS and disruptive malware attacks\r\non critical infrastructure, the financial sector, government and non-governmental organizations, and other sectors. The US,\r\nUK and other Western governments have also linked this entity to the compromise of edge routers in order “to host spear-phishing landing pages and custom tools.”\r\nMeanwhile, Russia’s FSB has responsibilities covering internal security, counterintelligence, and foreign espionage. Two\r\nunits within the FSB, Centre 16 and Centre 18, are responsible for cyber espionage, with the activities of COLDRIVER\r\nfalling under the umbrella of the latter. According to a UK government assessment, Centre 18 is also known as the Centre\r\nfor Information Security (TsIB) Military Unit 64829.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 14 of 20\n\n7. Civil Society Targeting by Russia: Always Present\r\nCyber espionage campaigns and active cyber operations targeting government entities, critical infrastructure, businesses and\r\nfinancial institutions have traditionally received the bulk of commercial cybersecurity firms’ and media attention. However,\r\nthis selection bias arising from commercial priorities has produced a distorted view of the overall victim set. Until recently,\r\nattacks targeting civil society tended to be overlooked in industry and government reporting because civil society lacks the\r\nresources to pay for high-end services, which means that indicators that might be gleaned from civil society may be largely\r\nunseen by cybersecurity firms.\r\nA major takeaway of the last decade and a half of The Citizen Lab’s research into digital espionage is that civil society is a\r\nmajor and often overlooked segment, despite being targeted by the same groups that attack government and industry.\r\nAuthoritarian governments are particularly sensitive to political opposition, dissidents and investigative journalism and\r\nroutinely orient their cyber espionage campaigns towards groups involved in those activities, both at home and abroad.\r\nCyber espionage against civil society is also a major component of digital transnational repression, which has been growing\r\nin scope and scale worldwide.\r\nIn 2017, for example, The Citizen Lab published a report detailing a Russia-aligned hack and leak operation, which we\r\ncalled “Tainted Leaks.” The investigation detailed an extensive phishing operation targeting 200 unique individuals across\r\n39 countries. Those targets included senior government and military officials, CEOs of energy companies, and civil society.\r\nWe discovered that civil society targets, including academics, journalists, activists, and members of NGOs, represented the\r\nsecond largest cluster set (21%), after government officials. Although we could not attribute that operation to a single entity,\r\nthere were several indicators suggesting links to APT28, a Russian threat actor affiliated with the GRU.\r\nThese cyber attacks targeting civil society are gaining wider visibility, thanks in part to the 10 plus years of reporting by The\r\nCitizen Lab, Access Now, Amnesty International, investigative journalists, and media consortia. The US, UK, Canada and\r\nother Western governments, as well as cybersecurity firms, have formally acknowledged the frequency of and risks to civil\r\nsociety stemming from cyber espionage and cyber operations, now echoing civil society’s reporting.\r\nOther Digital Threats to Civil Society Groups Working On and In Russia\r\nCivil society is under extreme threat in Russia. A recent study conducted by the Justice for Journalists Foundation counts a\r\ntotal of 5,262 cases of attacks/threats against professional and civilian media workers and editorial offices of traditional and\r\nonline media, as well as against Russian journalists abroad in 2021-2023.\r\nFor those still residing inside the country, the threat of raids and seizure of equipment is ever-present. Russia is currently\r\namong the top five countries in the world for arrests of journalists. In addition, the threat of physical violence for those\r\nlocated both inside and outside Russia is constant, with journalists and civil society figures regularly beaten, tortured,\r\npoisoned, and imprisoned. Prominent opposition voices have been killed, or have died in custody. Russia is known for its\r\n“highly aggressive” practice of transnational repression, which involves the targeting of dissidents, human rights defenders,\r\nand other civil society members living in exile/outside Russia through different methods including poisonings and killings.\r\nBeyond these physical threats, civil society groups operating inside Russia, in exile, or other groups working on Russian\r\nissues face a wide range of digital threats. A large number of civil society groups and independent media organizations have\r\nmoved into exile since the 2022 full-scale invasion of Ukraine by Russia. Today, many organizations-in-exile operate in a\r\ngeographically dispersed and decentralized manner, making them dependent on online communications. The critical\r\ndependence on technology combined with frequent resource constraints makes these groups exceptionally vulnerable to a\r\nwide range of digital threats.\r\nCensorship\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 15 of 20\n\nCommunications and information in Russia are subject to an extensive censorship regime, impacting the ability of audiences\r\nwithin Russia to access information and blocking the flow of information out of Russia. These restrictions include direct\r\ncensorship of websites and social media platforms and blocking on specific communications protocols such as VPNs. This\r\nblocking also hampers organizing and coordination between domestic and foreign civil society organizations. For example, a\r\n2023 report from The Citizen Lab on the Russian social networking site VK discovered that the platform “blocked content\r\nposted by independent news organizations, as well as content related to Ukrainian and Belarusian issues, protests, and\r\nlesbian, gay, bisexual, transgender, intersex, and queer (LGBTIQ) content.”\r\nThreats \u0026 Harassment\r\nProminent critics of the regime, antiwar activists, and independent media regularly face extensive intimidation and\r\nharassment campaigns both in and outside of Russia. These campaigns may include highly targeted online threats, backed by\r\nmeticulous research into the personal details and surveillance of the target.\r\nIndirect Censorship Through Malicious Reporting and Pressuring Tech Platforms\r\nProminent regime targets are often subjected to extensive and coordinated campaigns to report social media accounts and\r\nposts on platforms, like Instagram and Facebook, with the goal of triggering account suspensions and post deletions. For\r\nexample, a prominent Russian researcher and antiwar activist who spoke with us counted 83 complaints against her\r\nInstagram account submitted in a single 11-hour period in July 2024. The Russian government has also reportedly applied\r\npressure on companies like Apple and Google to delete opposition and VPN apps, as well as civil society YouTube videos.\r\nAccount Takeovers and Honeypots\r\nBeyond the sophisticated social engineering described in this report, popular chat programs, such as Telegram, are regularly\r\ntargeted with a range of tactics for account hijacking and takeovers.\r\nThe number of tactics to target accounts and private information are too numerous to list, and are constantly evolving. For\r\nexample, the co-founder of a Russian NGO that assists imprisoned antiwar activists described to us a new attack technique\r\nwhich relies on a fake Telegram “Helpline bot” impersonating the project of a genuine non-governmental organization. Such\r\na fake helpline could be easily used to gather account information and identifying details from at-risk activists inside Russia,\r\npotentially as a precursor to eliciting sensitive information or account takeovers.\r\n8. Protect Yourself \u0026 Your Colleagues\r\nWe believe that COLDRIVER and other Russian-government backed threat actors will persist in targeting civil society.\r\nWhile large email platforms continue to track and seek to disrupt these operators, this case shows that attacks can still make\r\nit through their defenses and into inboxes.\r\nDo you think you have been targeted by COLDRIVER, COLDWASTREL or other kinds of personalized phishing?\r\nWe encourage you to contact Access Now’s Digital Security Helpline to seek assistance.\r\nDo you think that COLDRIVER or similar governmental phishing groups may target you in the future? If so, we\r\nencourage you to review the steps below. However, these recommendations are not comprehensive, and there is no\r\nsubstitute for seeking expert assistance from competent professionals such as Access Now’s Helpline.\r\nThe following recommendations have been prepared jointly by Access Now and The Citizen Lab:\r\nStart with Prevention\r\nUse two-factor authentication, correctly: Experts agree that setting up two-factor authentication (2FA) is one of the most\r\npowerful ways to protect your account from getting hacked.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 16 of 20\n\nHowever, hackers like COLDRIVER and COLDWASTREL may try to trick you into entering your second factor; we have\r\nseen attackers successfully compromise a victim who had enabled 2FA. People using SMS-messaging as their second factor\r\nare also at greater risk of having their codes stolen, if a bad actor takes over their phone account.\r\nWe recommend that people use more advanced 2FA options such as security keys or, if they are Gmail users, Google\r\nPasskeys. Here are three guides for increasing the level of security for your account:\r\nGet Google Passkeys (Google)\r\nHow to: Enable two-factor authentication (Electronic Frontier Foundation)\r\nSet up multi factor authentication (Consumer Reports)\r\nUse a security key (Consumer Reports)\r\nEnroll in programs for high-risk users. Google and some other providers offer optional programs for people who, because\r\nof who they are or what they do, may face additional digital risks. These programs not only increase the security of your\r\naccount, but also flag to companies that you may face more sophisticated attacks. Such programs include:\r\nGoogle Advanced Protection\r\nMicrosoft Account Guard\r\nProton Sentinel\r\nReceived a Message? Be a Five Second Detective\r\nStep one: check your inbox for the sender’s email. Ask yourself if you have received messages from this account\r\nbefore. COLDRIVER often uses lookalike emails to impersonate people known to the target either personally or\r\nprofessionally, so may see an email that appears to come from someone you know, writing about something you\r\nwould expect them to write about. Even if you have received previous messages from the same email address, it is\r\npossible to “spoof” a familiar looking email address, so move on to the next step.\r\nStep two: check with the sender over a different medium. If you have any concerns or are at all suspicious, do not\r\nopen any PDF attachment or click on any link sent in the email. Instead, check directly with the purported sender, via\r\nanother service, to confirm whether or not they’ve reached out to you. If you don’t already have direct contact with\r\nthem, consider asking someone you trust to inquire on your behalf.\r\nStep three: don’t just click. Always consult an expert before opening a document you are unsure about. If you want\r\nto view a document that you think is probably safe, but want to take care, open the file within your webmail. Google,\r\nMicrosoft, and others open the files on their computers and display the contents to you. This protects you from\r\nmalicious code embedded in a document. But it will not prevent you from clicking on potentially malicious links\r\ninside the document.\r\nIf you are viewing an attached document inside your webmail, you should remain careful. Don’t just click on\r\nany links; copy and paste them into your browser before visiting. Examine the domain carefully: Is it what\r\nyou would expect for the site you expect to be visiting? Advanced phishing kits are very good at\r\nimpersonating popular services, and often the only visual clue that it is not the authentic site will be in the\r\naddress bar of the browser.\r\nIf you see a “login page” pop up, stop. This is a good time to consult a trusted expert.\r\nStep four: beware of “encrypted” or “protected” PDFs. This kind of message is almost always a cause for\r\nconcern. Legitimately encrypted PDFs almost never include a single “click here” button inside the PDF, and they\r\ndon’t show a blurred version of the contents. Never click on any “login” links or “buttons” inside a PDF you have\r\nbeen sent.\r\nConsidering Online Virus Checking Sites? You may wish to use online virus scanning sites such as VirusTotal or Hybrid\r\nAnalysis to check suspicious links or files.\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 17 of 20\n\nThese services offer a useful service and can be part of a good security practice, but they come with a very important\r\ncaveat: when you use such free services, you are not the customer, you are the product. Your files are available to\r\nmany researchers, companies, and governments.\r\nWe do not recommend using such tools to check “sensitive” files that may contain personal information or other\r\nprivate topics. Instead, contact a trusted expert that can help.\r\nThink you are Being Targeted?\r\nThese recommendations address the kind of phishing that COLDRIVER and COLDWASTREL are currently using, but\r\nthere are many other ways you could be targeted Whatever your level of risk, we encourage you to get personalized security\r\nrecommendations from the Security Planner, which also maintains a list of emergency resources and advanced security\r\nguides.\r\nIf you suspect that you have already been targeted in an attack, reach out to a trusted practitioner for advice. It is crucial to\r\nevaluate any damage to your organization and/or to other related organizations and individuals, such as partners,\r\nparticipants, grantees, and others. If this is the case, keep them informed about what has happened, what has been leaked,\r\nhow this may impact them, and what steps you are taking to mitigate this impact.\r\nIf you believe you have been compromised: Access Now’s Digital Security Helpline is available to support members of\r\ncivil society, including activists, media organizations, journalists, and human rights defenders, 24/7 in nine languages,\r\nincluding Russian.\r\nChange your password right away. If you are using the same password for other accounts, you should change the\r\npassword for those accounts, too. Consider using a password manager to keep track of multiple passwords.\r\nYou can also review access logs on your accounts, such as Proton Mail’s Authentication Logs, Gmail’s Last Account\r\nActivity, and review devices with account access, as well as Microsoft’s Check recent sign-in activity. Some users\r\nmay still have questions after reviewing these logs. We encourage you to make a copy of the logs if you suspect you\r\nmay have been targeted, to share with an expert for review.\r\nAcknowledgments\r\nThe Citizen Lab would like to express our deepest gratitude to the many targets and organizations with suspect messages\r\nthat consented to share indicators and materials with us, and discuss their experiences. Without their participation, this\r\ninvestigation would have been impossible.\r\nWe would also like to thank many researchers and threat intelligence teams for feedback, including the teams at Mandiant,\r\nMicrosoft Threat Intelligence Center, Proofpoint, and PwC.\r\nWe also thank Friendly Robot and TNG.\r\nThanks to our colleagues at The Citizen Lab Siena Anstis, Jakub Dalek, Bill Marczak, and Adam Senft for their careful\r\nreview and editorial assistance, Mari Zhou for graphical assistance and report art, and Snigdha Basu and Alyson Bruce for\r\ncommunications support.\r\nAppendix: Indicators of Compromise\r\nCOLDRIVER PDF Hashes\r\nb07d54a178726ffb9f2d5a38e64116cbdc361a1a0248fb89300275986dc5b69d\r\n0ded441749c5391234a59d712c9d8375955ebd3d4d5848837b8211c6b27a4e88\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 18 of 20\n\nefa2fd8f8808164d6986aedd6c8b45bb83edd70ca4e80d7ff563a3fbc05eab89\r\nc1fa7cd73a14946fc760a54ebd0c853fab24a080cbf6b8460a949f28801e16fc\r\n603221a64f2843674ad968970365f182c228b7219b32ab3777c265804ef67b0a\r\ndf9d77f3e608c92ef899e5acd1d65d87ce2fdb9aab63bbf58e63e6fd6c768ac3\r\n384d3027d92c13da55ceef9a375e8887d908fd54013f49167946e1791730ba22\r\n79f93e57ad6be28aae62d14135140289f09f86d3a093551bd234adc0021bb827\r\n00664f72386b256d74176aacbe6d1d6f6dd515dd4b2fcb955f5e0f6f92fa078e\r\nYara Rule for River of Phish PDFs\r\nCOLDRIVER First-Stage Domains\r\nithostprotocol[.]com\r\nxsltweemat[.]org\r\negenre[.]net\r\nesestacey[.]net\r\nideaspire[.]net\r\neilatocare[.]com\r\nvocabpaper[.]com\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 19 of 20\n\nmatalangit[.]org\r\ntogochecklist[.]com\r\nCOLDWASTREL PDF on VirusTotal\r\n4a9a2c2926b7b8e388984d38cb9e259fb4060cccc2d291c7910be030ae5301a3\r\nCOLDWASTREL Domains\r\nprotondrive[.]online\r\nprotondrive[.]services (tentative)\r\nprotondrive[.]me (tentative)\r\nservice-proton[.]me (Per Access Now’s analysis)\r\nSource: https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nhttps://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/" ], "report_names": [ "sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434406, "ts_updated_at": 1775826783, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/320934ef179ba766d11a1c48c09747ee227ed48c.pdf", "text": "https://archive.orkl.eu/320934ef179ba766d11a1c48c09747ee227ed48c.txt", "img": "https://archive.orkl.eu/320934ef179ba766d11a1c48c09747ee227ed48c.jpg" } }