{ "id": "9a3b8d59-9f98-4931-aa1a-c6a0522ebf07", "created_at": "2026-04-06T00:11:17.757658Z", "updated_at": "2026-04-10T13:11:58.188878Z", "deleted_at": null, "sha1_hash": "786a7f5eb963ce483b078b836ca7238db6ae4f3c", "title": "CALISTO continues its credential harvesting campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 152193, "plain_text": "CALISTO continues its credential harvesting campaign\r\nBy Felix Aimé\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-06-22 · Archived: 2026-04-05 16:01:28 UTC\r\nThis blog post on CALISTO threat actor is an extract of a FLINT report (Sekoia.io Flash Intelligence) sent to our\r\nclients on June 16, 2022.\r\nMarch 30, 2022, Google TAG published several IOCs related to Calisto – a Russia-nexus threat actor also known\r\nas COLDRIVER which targeted several Western NGOs, think tanks and the defense sector in the past. According\r\nto Google TAG, the operators used freshly created Gmail accounts to carry out a spear-phishing campaign.\r\nBased on TAG’s findings, Calisto used, at least on one occasion, decoys documents hosted on Google Docs as\r\nwell as Microsoft One drive, to entice the victim to click on a link leading to the phishing domain, purporting to\r\ndisplay the document’s content. The tactic consists in using a legit service as a proxy for credential phishing, this\r\naims at bypassing controls from the victim’s mail gateways as the email itself does not contain a malicious link\r\nany longer.\r\nAdditionally, TAG uncovered that On April 21, 2022, a new website named “Very English Coop d’Etat” surfaced.\r\nThis website allegedly aims at revealing a plot related to the Brexit. However, as mentioned by security researcher\r\nCostin Raiu on Twitter, at least one leaked document seems to be a fake from the attackers. Based on the\r\nleveraged design, method and screenshots,this activity reminds the “Hack and Leak” campaigns operated between\r\n2015 and 2019 and associated to Russia-nexus intrusion sets SOFACY and HADES.\r\nEven if the new website reminds the old ones from SOFACY, Google TAG declared in an interview to Reuters\r\nthat they’ve been able to “ technically link this website to CALISTO operations”, without mentioning the\r\ntechnical details leading to this attribution. As of today, while weak links can be established between past GRU\r\nassociated cyber operations TTPs and this documented activity, Sekoia.io refrains from associating CALISTO’s\r\noperations to Russian Intelligence and Security Services.\r\nInfrastructure analysis of CALISTO\r\nFollowing these two publications, Sekoia.io investigated the Calisto phishing domains in order to protect our\r\ncustomers. CALISTO uses Evilginx on its VPS to capture the victim’s credentials. This well known open source\r\ntool creates an SSL reverse proxy between the victim and a legitimate website to capture web credentials, 2FA\r\ntokens…\r\nIt’s worth mentioning that CALISTO operators just followed the Github README of the EvilGinx project,\r\ncreating default redirection for some of their VPS to the Youtube Rick’roll video. Additional servers redirect to the\r\nNew York Times home page, these two OPSEC fails allowing us to find more servers easily.\r\nBy digging deeper a phishing domain (file-milgov[.]systems) targeting the Ukrainian MOD drew our attention.\r\nUnlike the previous CALISTO domains, this one uses a webpage written in PHP to capture credentials. It is worth\r\nhttps://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign\r\nPage 1 of 3\n\nmentioning that this domain have been catched also by Trellix in their article “Growling Bears Make Thunderous\r\nNoise” without attribution.\r\nWhile it doesn’t match our Evilginx heuristic, it was operated in the same network range as several CALISTO\r\ndomains during the same time frame. Therefore, it is likely possible that this domain is associated with a spear-phishing operation from CALISTO, the link being determined with a low degree of confidence.\r\nAs of today, Sekoia.io has been able to link 24 unique domains operating Evilginx related to CALISTO operations\r\nwith medium to high confidence.\r\nIOCs of CALISTO\r\nDomain names \r\nPlease blacklist these domains and the associated FQDNs\r\ndocuments-cloud[.]com\r\ncache-docs[.]com\r\nprotect-link[.]online\r\ndocs-shared[.]com\r\ndocuments-cloud[.]online\r\ndrive-share[.]live\r\nhypertextteches[.]com\r\nproton-docs[.]com\r\ndocs-drive[.]online\r\ncloud-docs[.]com\r\ndrive-docs[.]com\r\nfile-milgov[.]systems\r\ncache-dns[.]com\r\nhttps://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign\r\nPage 2 of 3\n\noffice-protection[.]online\r\nproton-view[.]online\r\npdf-shared[.]online\r\nproton-viewer[.]com\r\nprotectionmail[.]online\r\npdf-docs[.]online\r\ndocuments-pdf[.]online\r\ndocs-cache[.]com\r\npdf-cloud[.]online\r\ndocs-info[.]com\r\nprotection-office[.]live\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nAPT CTI\r\nShare this post:\r\nSource: https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign\r\nhttps://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign" ], "report_names": [ "calisto-continues-its-credential-harvesting-campaign" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434277, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/786a7f5eb963ce483b078b836ca7238db6ae4f3c.pdf", "text": "https://archive.orkl.eu/786a7f5eb963ce483b078b836ca7238db6ae4f3c.txt", "img": "https://archive.orkl.eu/786a7f5eb963ce483b078b836ca7238db6ae4f3c.jpg" } }