{ "id": "fb3a0ea9-3329-4a96-8af8-10b16fb6184a", "created_at": "2026-04-06T15:52:30.054838Z", "updated_at": "2026-04-10T03:35:42.027899Z", "deleted_at": null, "sha1_hash": "58ebde5edfe5c246dd638b335391bd260ff619f4", "title": "Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54931, "plain_text": "Justice Department Disrupts Russian Intelligence Spear-Phishing\r\nEfforts\r\nPublished: 2024-10-02 · Archived: 2026-04-06 15:26:19 UTC\r\nThe Justice Department announced today the unsealing of a warrant authorizing the seizure of 41 internet domains\r\nused by Russian intelligence agents and their proxies to commit computer fraud and abuse in the United States. As\r\nan example of the Department’s commitment to public-private operational collaboration to disrupt such\r\nadversaries’ malicious cyber activities, as set forth in the National Cybersecurity Strategy, the Department acted\r\nconcurrently with a Microsoft civil action to restrain 66 internet domains used by the same actors.\r\n“Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action – using all tools\r\nto disrupt and deter malicious, state-sponsored cyber actors,” said Deputy Attorney General Lisa Monaco. “The\r\nRussian government ran this scheme to steal Americans’ sensitive information, using seemingly legitimate email\r\naccounts to trick victims into revealing account credentials. With the continued support of our private sector\r\npartners, we will be relentless in exposing Russian actors and cybercriminals and depriving them of the tools of\r\ntheir illicit trade.”\r\n“This disruption exemplifies our ongoing efforts to expel Russian intelligence agents from the online\r\ninfrastructure they have used to target individuals, businesses, and governments around the world,” said Assistant\r\nAttorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Working closely\r\nwith private-sector partners such as Microsoft, the National Security Division uses the full reach of our authorities\r\nto confront the cyber-enabled threats of tomorrow from Russia and other adversaries.”\r\n\"Working in close collaboration with public and private sector partners—in this case through the execution of\r\ndomain seizures — we remain in prime position to counter and defeat a broad range of cyber threats posed by\r\nadversaries,” said FBI Deputy Director Paul Abbate. “Our efforts to prevent the theft of information by state-sponsored criminal actors are relentless, and we will continue our work in this arena with partners who share our\r\ncommon goals.”\r\n“This seizure is part of a coordinated response with our private sector partners to dismantle the infrastructure that\r\ncyber espionage actors use to attack U.S. and international targets,” said U.S. Attorney Ismail J. Ramsey for the\r\nNorthern District of California. “We thank all of our private-sector partners for their diligence in analyzing,\r\npublicizing, and combating the threat posed by these illicit state-coordinated actions in the Northern District of\r\nCalifornia, across the United States, and around the world.”\r\nThe domain names are identified below:\r\naccutanebb[.]com SUBJECT DOMAIN NAME 1\r\nalbuteroltab[.]com SUBJECT DOMAIN NAME 2\r\nallowdoorinto[.]com SUBJECT DOMAIN NAME 3\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts\r\nPage 1 of 4\n\nbaijiapaintbrush[.]com SUBJECT DOMAIN NAME 4\r\nbaricitinc[.]com SUBJECT DOMAIN NAME 5\r\ncbdhempoilww[.]com SUBJECT DOMAIN NAME 6\r\ncbdonlineww[.]com SUBJECT DOMAIN NAME 7\r\ncenforcep[.]com SUBJECT DOMAIN NAME 8\r\ncialismgz[.]com SUBJECT DOMAIN NAME 9\r\ndelitky[.]com SUBJECT DOMAIN NAME 10\r\ndivisionintro[.]com SUBJECT DOMAIN NAME 11\r\ndompurifycheerio[.]com SUBJECT DOMAIN NAME 12\r\nfastloginway[.]com SUBJECT DOMAIN NAME 13\r\nfasttruncatedoor[.]com SUBJECT DOMAIN NAME 14\r\nfinduscore[.]com SUBJECT DOMAIN NAME 15\r\ngateallowsearch[.]com SUBJECT DOMAIN NAME 16\r\nghxsjyk[.]com SUBJECT DOMAIN NAME 17\r\ngnfamotidine[.]com SUBJECT DOMAIN NAME 18\r\ngnibuprofen[.]com SUBJECT DOMAIN NAME 19\r\ngovdoorsec[.]com SUBJECT DOMAIN NAME 20\r\nhempcbdww[.]com SUBJECT DOMAIN NAME 21\r\ninthetrustview[.]com SUBJECT DOMAIN NAME 22\r\nithostprotocol[.]com SUBJECT DOMAIN NAME 23\r\nivermectint[.]com SUBJECT DOMAIN NAME 24\r\nlondonshowcorp[.]com SUBJECT DOMAIN NAME 25\r\nmaxlliance[.]com SUBJECT DOMAIN NAME 26\r\nmyavtsim[.]com SUBJECT DOMAIN NAME 27\r\nnewtransfersearch[.]com SUBJECT DOMAIN NAME 28\r\noutviewmachine[.]com SUBJECT DOMAIN NAME 29\r\nsetitcloud[.]com SUBJECT DOMAIN NAME 30\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts\r\nPage 2 of 4\n\nsmartloginbreak[.]com SUBJECT DOMAIN NAME 31\r\nsmartscontract[.]com SUBJECT DOMAIN NAME 32\r\ntipstoway[.]com SUBJECT DOMAIN NAME 33\r\ntoolpointtrim[.]com SUBJECT DOMAIN NAME 34\r\ntrustvaluespath[.]com SUBJECT DOMAIN NAME 35\r\nverificationtrim[.]com SUBJECT DOMAIN NAME 36\r\nviewwaypath[.]com SUBJECT DOMAIN NAME 37\r\nwaylogintexas[.]com SUBJECT DOMAIN NAME 38\r\nwebgovview[.]com SUBJECT DOMAIN NAME 39\r\nwingscamein[.]com SUBJECT DOMAIN NAME 40\r\nincomcorporate[.]com SUBJECT DOMAIN NAME 41\r\nAccording to the partially unsealed affidavit filed in support of the government’s seizure warrant, the seized\r\ndomains were used by hackers belonging to, or criminal proxies working for, the “Callisto Group,” an operational\r\nunit within Center 18 of the Russian Federal Security Service (the FSB), to commit violations of unauthorized\r\naccess to a computer to obtain information from a department or agency of the United States, unauthorized access\r\nto a computer to obtain information from a protected computer, and causing damage to a protected computer.\r\nCallisto Group hackers used the seized domains in an ongoing and sophisticated spear-phishing campaign with the\r\ngoal of gaining unauthorized access to, and steal valuable information from, the computers and email accounts of\r\nU.S. government and other victims.\r\nIn conjunction, Microsoft announced\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts\r\nPage 3 of 4\n\nthe filing of a civil action to seize 66 internet domains also used by Callisto Group actors. Microsoft Threat\r\nIntelligence tracks this group as “Star Blizzard” (formerly SEABORGIUM, also known as COLDRIVER).\r\nBetween January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society entities and\r\norganizations – journalists, think tanks, and nongovernmental organizations (NGOs) – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities.\r\nThe government’s affidavit alleges the Callisto Group actors targeted, among others, U.S.-based companies,\r\nformer employees of the U.S. Intelligence Community, former and current Department of Defense and\r\nDepartment of State employees, U.S. military defense contractors, and staff at the Department of Energy. In\r\nDecember 2023, the Department announced charges against two Callisto-affiliated actors, Ruslan Aleksandrovich\r\nPeretyatko (Перетятько Руслан Александрович), an officer in FSB Center 18, and Andrey Stanislavovich\r\nKorinets (Коринец Андрей Станиславович). The indictment charged the defendants with a campaign to hack\r\ninto computer networks in the United States, the United Kingdom, other North Atlantic Treaty Organization\r\nmember countries, and Ukraine, all on behalf of the Russian government.\r\nThe FBI San Francisco Field Office is investigating the case.\r\nThe U.S. Attorney’s Office for the Northern District of California and the Justice Department’s National Security\r\nCyber Section of the National Security Division are prosecuting the case.\r\nThe case is docketed at Application by the United States for a Seizure Warrant for 41 Domain Names For\r\nInvestigation of 18 U.S.C. § 1956(a)(2)(A) and Other Offenses, No. 4-24-71375 (N.D. Cal. Sept. 16, 2024).\r\nAn affidavit in support of a seizure warrant and an indictment are merely allegations. All defendants are presumed\r\ninnocent until proven guilty beyond a reasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts\r\nhttps://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts" ], "report_names": [ "justice-department-disrupts-russian-intelligence-spear-phishing-efforts" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490750, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58ebde5edfe5c246dd638b335391bd260ff619f4.pdf", "text": "https://archive.orkl.eu/58ebde5edfe5c246dd638b335391bd260ff619f4.txt", "img": "https://archive.orkl.eu/58ebde5edfe5c246dd638b335391bd260ff619f4.jpg" } }