{ "id": "f12ad91e-a1b3-4a69-b98a-f549eaf937ac", "created_at": "2026-04-06T00:18:20.890852Z", "updated_at": "2026-04-10T03:37:04.44776Z", "deleted_at": null, "sha1_hash": "38dd2173791d63504c4a4f4b840a5661215deeac", "title": "Calisto show interests into entities involved in Ukraine war support", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 192995, "plain_text": "Calisto show interests into entities involved in Ukraine war support\r\nBy Felix Aimé,\u0026nbsp;Maxime A.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-12-05 · Archived: 2026-04-05 16:11:08 UTC\r\nCalisto (aka Callisto, COLDRIVER) is suspected to be a Russian-nexus intrusion set active since at least April\r\n2017. Although it was not publicly attributed to any Russian intelligence service, past Calisto operations showed\r\nobjectives and victimology that align closely with Russian strategic interests.\r\nCalisto mainly focuses on Western countries, especially the United States, and Eastern European countries. The\r\ngroup was observed carrying out phishing campaigns aiming at credential theft, targeting military and strategic\r\nresearch sectors such as NATO entities and a Ukraine-based defense contractor, as well as NGOs and think tanks.\r\nAdditional victimology includes former ntelligence officials, experts in Russian matters, and Russian citizens\r\nabroad.\r\nWhile Security Service of Ukraine (SBU) publicly associated Calisto with Gamaredon Group, an intrusion set\r\nattributed to the Russian Federal Security Service (FSB) that focuses essentially on Ukraine operations since the\r\nbeginning of the Russian invasion in February 2022, this link is not supported by other security companies or\r\nresearchers. SEKOIA.IO conducted further technical investigations but did not find any overlap between Calisto\r\nand Gamaredon activities.\r\nTechnical analysis\r\nBased on SEKOIA.IO EvilNgix trackers, we came across domains, known to us as aligning with past Calisto\r\nactivities. Further investigations led to a larger infrastructure composed of more than 80 domains, including\r\ndomains typosquatting entites.\r\nAs several of these domains were already known and resolving IP addresses already attributed to Calisto activities,\r\nSEKOIA.IO associates these domains to Calisto with high confidence.\r\nIn past observed campaigns, Calisto operators sent malicious PDF attachments to their victims. The first page of\r\nthe PDF mimics an error in the PDF renderer engine, inciting the victim to open a link leading to a malicious\r\nweb page. This webpage aims at gathering the victim’s credentials by using EvilGinx. Here are a few examples of\r\nPDF retrieved in this investigation:\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 1 of 6\n\nFigure 1. First pages of malicious PDF sent by Calisto\r\nThe last pages of the documents contain blobs of spirals and text, as shown below. SEKOIA.IO analysts still don’t\r\nknow why such gibberish is used as it appears useless as an anti-detection trick. However, the idea to put the\r\nphishing link in a PDF instead of in the email body prevents link analysis from email gateways and is a good\r\ntactic to remain undetected from an attacker point of view.\r\nFigure 2. Garbage present in the last document pages\r\nVictimology analysis\r\nSEKOIA.IO conducted open-source research on the typosquatted domains, to identify targets. As we redact this\r\npaper, we found six private companies based in the US and Eastern Europe, and four Non-governmental\r\norganizations (NGOs), all involved in Ukraine support. SEKOIA.IO contacted the NGOs to get the phishing\r\nemail or payload.\r\nOne of them shared the email exchange between the victim and the attacker using a\r\nspoofed email from a “trusted source”, including the malicious PDF payload, a technique previously observed in\r\nCalisto campaigns. The email exchange shows that the attacker did not include the malicious payload in the first\r\nemail, but waited to get an answer to build a relationship and avoid suspicion before sending the payload to the\r\nvictim. That Calisto social engineering technique was already observed by Microsoft.\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 2 of 6\n\nMost of the targeted private organizations are involved in military equipment, military logistics or\r\nhumanitarian support for Ukraine, including a US company that provides humanitarian logistics and possibly\r\ntactical equipment to Kiev. Other sectors include communication technologies and cybersecurity (medium\r\nconfidence) :\r\nUMO, Polish company, military equipment (high confidence);\r\nEmcompass, Ukrainian company, military logistic (high confidence);\r\nDTGruelle, US company, logistics (high confidence);\r\nGlobal Ordnance, US company, military and tactical equipment (high confidence);\r\nBotGuard, Estonian company, cybersecurity (medium confidence);\r\nBlue Sky Network, US company, satellite communications (high confidence).\r\nAdditional potential victims include NGOs and think tanks involved in conflict resolution and war crime\r\ninvestigation, including an organization also involved in the Syrian civil war crime investigation and previously\r\ntargeted by an Indian hack-for-hire company in June 2020. Most of the NGOs and think tanks targeted are\r\npublicly supporting Ukraine.\r\nInternational Center on Nonviolent Conflict, US think tank promoting non-military strategies by\r\ncivilian-based movements to defend human rights (high confidence);\r\nCommission for International Justice and Accountability, Europe-based NGO, proof collection for\r\nhuman rights violation and war crime (high confidence);\r\nCentre for Humanitarian Dialogue, Swiss-based NGO, mediation and diplomacy for conflict resolution\r\n(high confidence);\r\nFoundation for support of reforms in Ukraine, Ukraine-based NGO, economic reforms promotion,\r\nlikely involved in post-war reconstruction planning (medium confidence).\r\nSEKOIA.IO notes that the observed victimology through the investigation matches known Calisto victimology,\r\nnamely strategic research, civil society and military equipment sectors, as well as entities and individuals involved\r\nin Russian matters.\r\nCalisto targets non-directly related to Ukraine support\r\nAmong discovered Calisto malicious domains, three caught SEKOIA.IO analysts’ attention, mvd-redir[.]ru and\r\ndns-mvd[.]ru (high confidence) that are highly likely typosquatting the Russian Ministry of Interior, and lk-nalog-gov[.]ru (low confidence) the Russian Federal Taxation Service. Based on the fact that Calisto was observed\r\ntargeting Russian individuals abroad, SEKOIA.IO assess it is plausible that Calisto conducts domestic\r\nsurveillance as well. Another less plausible hypothesis would be a false-flag maneuver to raise doubts on the\r\ninfrastructure’s attribution.\r\nSEKOIA.IO found another potential victim that matches Calisto known targeting. The domain\r\nsangrail-share[.]com and sangrail-ltd[.]com are typosquatting Sangrail Inc., a private security\r\ncompany, registered in the UK on 31 July 2019 by Ian Walter Baharie. That name was used as well to register\r\nAC21 [1], a British private intelligence company focused on African politics. Interestingly, that name showed up\r\nin a 17-years-old data leak exposing a list of several MI6 officers on cryptome.org, a website dedicated to\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 3 of 6\n\ninformation leaks. That observation matches Microsoft assessment on Calisto targeting former intelligence\r\nofficers.\r\nConclusion\r\nDespite the absence of technical evidence associating Calisto activities with a known Russian cyber offensive\r\nservice, Sekoia.io assess that this intrusion set intelligence collection activities targeting parties involved in\r\nUkraine support, especially those in the tactical equipment logistics, probably contribute to Russian efforts to\r\ndisrupt Kiev supply-chain for military reinforcements.\r\nBased on the targeting of Commission for International Justice and Accountability NGO, Sekoia.io assess that\r\nCalisto contributes to Russian intelligence collection about identified war crime-related evidence and/or\r\ninternational justice procedures, likely to anticipate and build counter narrative on future accusations.\r\nTo provide our customers with actionable intelligence, Sekoia.io analysts will continue to monitor state-sponsored\r\nadvanced and persistent threats, including Calisto, as well as cybercrime related groups. We welcome any\r\nfeedback and / or additional input to further contribute to understanding and countering Calisto threat.\r\nIOCs \u0026 Technical Details\r\naccess-confirmation[.]com\r\nallow-access[.]com\r\nantibots-service[.]com\r\napicomcloud[.]com\r\nas-mvd[.]ru\r\nattach-docs[.]com\r\nattach-update[.]com\r\nblueskynetwork-drive[.]com\r\nblueskynetwork-shared[.]com\r\nbotguard-checker[.]com\r\nbotguard-web[.]com\r\nchallenge-identifier[.]com\r\nchallenge-share[.]com\r\nchecker-bot[.]com\r\ncija-docs[.]com\r\ncija-drive[.]com\r\ncloud-safety[.]online\r\ncloud-us[.]online\r\ndefault-dns[.]online\r\ndisk-previewer[.]com\r\ndns-cache[.]online\r\ndns-challenge[.]com\r\ndns-cookie[.]com\r\ndns-mvd[.]ru\r\ndocs-cache[.]online\r\ndocs-collector[.]com\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 4 of 6\n\ndocs-shared[.]online\r\ndocs-storage-ltd[.]com\r\ndocs-viewer[.]online\r\ndocs-web[.]online\r\ndocument-guard[.]com\r\ndocument-sender[.]com\r\ndrive-control[.]com\r\ndrive-defender[.]com\r\ndrive-global-ordnance[.]com\r\ndrive-globalordnance[.]com\r\ndrive-information[.]com\r\ndrive-previewer[.]com\r\ndrive-us[.]online\r\ndtgruelle-drive[.]com\r\ndtgruelle-us[.]com\r\nencompass-drive[.]com\r\nencompass-shared[.]com\r\nfilter-bot[.]com\r\nglobal-ordnance-drive[.]com\r\ngoweb-protect[.]com\r\ngoweb-service[.]com\r\nguard-checker[.]com\r\nhd-centre-drive[.]com\r\nhd-docs-share[.]com\r\nhypertexttech[.]com\r\nhypertextttech[.]com\r\nland-of-service[.]com\r\nlive-identifier[.]com\r\nmvd-cloud[.]ru\r\nmvd-redir[.]ru\r\nnetwork-storage-ltd[.]com\r\nnonviolent-conflict-service[.]com\r\nnonviolent-conflict-storage[.]com\r\nonline-word[.]com\r\npreview-docs[.]com\r\npreview-docs[.]online\r\nprotectedshields-storage[.]com\r\nprotection-web-app[.]com\r\nproxycrioisolation[.]com\r\nredir-document[.]com\r\nresponse-collector[.]com\r\nresponse-filter[.]com\r\nresponse-mvd[.]ru\r\nresponse-redir[.]com\r\nsafe-proof[.]com\r\nsangrail-ltd[.]com\r\nsangrail-share[.]com\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 5 of 6\n\nselector-drafts[.]online\r\nshare-drive-ua[.]com\r\nsoaringeagle-drive[.]com\r\nstorage-service[.]online\r\nthreatcenterofreaserch[.]com\r\nthreatcenterofresearch[.]com\r\ntransfer-dns[.]com\r\ntransfer-record[.]com\r\numo-drive[.]com\r\numopl-drive[.]com\r\numopl[.]com\r\nwebview-service[.]com\r\nExternal references :\r\n[1] https://www.ac21.co.uk/, accessed December 5, 2024\r\nThanks for the reading ! You can also read our articles on:\r\nChat with our team!\r\nWould you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you\r\nhave a cybersecurity project in your organization? Make an appointment and meet us!\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nAPT calisto CTI Infrastructure\r\nShare this post:\r\nSource: https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nhttps://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support" ], "report_names": [ "calisto-show-interests-into-entities-involved-in-ukraine-war-support" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38dd2173791d63504c4a4f4b840a5661215deeac.pdf", "text": "https://archive.orkl.eu/38dd2173791d63504c4a4f4b840a5661215deeac.txt", "img": "https://archive.orkl.eu/38dd2173791d63504c4a4f4b840a5661215deeac.jpg" } }