{
	"id": "bbf286d2-eba7-42b7-a236-2962e1883e05",
	"created_at": "2026-04-06T00:22:16.688383Z",
	"updated_at": "2026-04-10T03:35:41.875874Z",
	"deleted_at": null,
	"sha1_hash": "36f11f6cdd6119923e660798f1047312d12a32cb",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44273,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 21:03:46 UTC\r\nHome \u003e List all groups \u003e Callisto Group\r\n APT group: Callisto Group\r\nNames Callisto Group (F-Secure)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1d40756d-0618-4559-a46a-79672377cebe\r\nPage 1 of 2\n\nDescription\r\n(F-Secure) The most obvious common theme between all known targets of the Callisto Group\r\nis an involvement in European foreign and security policy, whether as a military or\r\ngovernment official, being employed by a think tank, or working as a journalist. More\r\nspecifically, many of the known targets have a clear relation to foreign and security policy\r\ninvolving both Eastern Europe and the South Caucasus.\r\nThis targeting suggests the Callisto Group is interested in intelligence gathering related to\r\nforeign and security policy. Furthermore, we are unaware of any targeting in the described\r\nattacks that would suggest a financial motive.\r\nIt is worth noting that during our investigation we uncovered links between infrastructure\r\nassociated with the Callisto Group and infrastructure used to host online stores selling\r\ncontrolled substances. While we don’t yet know enough to fully understand the nature of these\r\nlinks, they do suggest the existence of connections between the Callisto Group and criminal\r\nactors.\r\nWhile the targeting would suggest that the main benefactor of the Callisto Group’s activity is a\r\nnation state with specific interest in the Eastern Europe and South Caucasus regions, the link\r\nto infrastructure used for the sale of controlled substances hints at the involvement of a\r\ncriminal element. Finally, the infrastructure associated with the Callisto Group and related\r\ninfrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on\r\nthe infrastructure, and in WHOIS information associated with the infrastructure.\r\nIt is possible to come up with a number of plausible theories to explain the above findings. For\r\nexample, a cybercrime group with ties to a nation state, such as acting on behalf of or for the\r\nbenefit of a government agency, is one potential explanation. However, we do not believe it is\r\npossible to make any definitive assertions regarding the nature or affiliation of the Callisto\r\nGroup based on the currently available information.\r\nObserved\r\nSectors: Defense, Government, Think Tanks and journalists.\r\nCountries: Europe and the South Caucasus.\r\nTools used RCS Galileo.\r\nInformation \u003chttps://www.f-secure.com/documents/996508/1030745/callisto-group\u003e\r\nLast change to this card: 01 January 2023\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1d40756d-0618-4559-a46a-79672377cebe\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1d40756d-0618-4559-a46a-79672377cebe\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1d40756d-0618-4559-a46a-79672377cebe"
	],
	"report_names": [
		"showcard.cgi?u=1d40756d-0618-4559-a46a-79672377cebe"
	],
	"threat_actors": [
		{
			"id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d",
			"created_at": "2022-10-25T16:07:23.432642Z",
			"updated_at": "2026-04-10T02:00:04.600341Z",
			"deleted_at": null,
			"main_name": "Callisto Group",
			"aliases": [],
			"source_name": "ETDA:Callisto Group",
			"tools": [
				"RCS Galileo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434936,
	"ts_updated_at": 1775792141,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36f11f6cdd6119923e660798f1047312d12a32cb.pdf",
		"text": "https://archive.orkl.eu/36f11f6cdd6119923e660798f1047312d12a32cb.txt",
		"img": "https://archive.orkl.eu/36f11f6cdd6119923e660798f1047312d12a32cb.jpg"
	}
}