{ "id": "9027bc92-bb73-477b-bd43-381cbf9e67ea", "created_at": "2026-04-06T00:10:46.479266Z", "updated_at": "2026-04-10T03:35:41.639075Z", "deleted_at": null, "sha1_hash": "ca71d44a9109d6fa5cd4a2f05fda233177e5e216", "title": "Blue Callisto orbits around US Laboratories in 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1234340, "plain_text": "Blue Callisto orbits around US Laboratories in 2022\r\nBy PricewaterhouseCoopers\r\nArchived: 2026-04-05 16:42:41 UTC\r\nBlue Callisto (a.k.a SEABORGIUM1, Callisto Group2) is likely a Russia-based threat actor which primarily\r\nconducts phishing attacks for espionage purposes since at least 2017. The threat actor is interested in acquiring\r\ncredentials from US and European government officials and organisations linked to national security matters. In\r\n2017 it was reported that the threat actor targeted the UK foreign office,3  and we have also observed its interest in\r\nUK and US universities in 2020 and 2022.4  Since the Russo-Ukraine war began in 2022, we have observed Blue\r\nCallisto taking an increased interest in Ukraine, targeting at least one private Ukrainian company related to\r\nlogistics. We assess Blue Callisto is highly likely still primarily focused on governmental organisations based in\r\nEurope and the US.\r\nIn this blog post we detail 2022 phishing activity the PwC threat intelligence team attributes to Blue Callisto and\r\nlist indicators for defenders to query. The activity ranges from February 2022 to October 2022. Some of the\r\ndomains resolve to IPs which we assess are likely operated by Blue Callisto to service fake webpages and gather\r\ncredentials as of 24th October 2022.\r\nFingerprinting activity\r\nIn February 2022, we observed a domain we attribute likely to Blue Callisto redirecting to a different domain,\r\nwhich we also assess is likely Blue Callisto due to the similarities in technologies, network providers and\r\ninfrastructure setup.5  When visiting the domain cache-dns-forwarding[.]com a user is redirected to\r\naccounts[.]hypertexttech[.]com due to a remote script shown in Figure 1. The remote script was located on\r\nhypertextteches[.]com.\r\nFigure 1 – Javascript code link observed on cache-dns-forwarding[.]com\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 1 of 8\n\nThe web response from the remote script was obfuscated JavaScript code created by a popular JavaScript\r\nobfuscator6, which uses a combination of the following characters: ![ ]() as shown in Figure 2.\r\nFigure 2 – Obfuscated JavaScript code\r\nThe deobfuscated code contains multiple client side checks, shown in Figure 3, to determine whether the request\r\nshould be redirected or not. We assess it is likely the threat actor is using this code to identify automated scanners\r\nand antivirus technologies, and block them from the final phishing URL. The code queries several browser\r\nconstants, such as:\r\nwindow.webdriver;\r\nwindow.domAutomation; and,\r\nwindow.spawn.\r\nIf the code does not identify any problems with the request the script will redirect to the following URL:\r\nhxxps[:]//hypertextteches[.]com/patrified.php\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 2 of 8\n\nFigure 3 – Deobfuscated code\r\nMicrosoft referenced Blue Callisto fingerprinting browser behaviour in one of its public blogs7. We assess the\r\nfingerprinting Javascript methods and code  is likely similar to the deobfuscated code we have observed. The\r\nJavaScript code redirect has several further redirections before reaching its final URL: a Google themed phishing\r\npage shown in Figure 4. An example redirection chain is listed below:\r\nhxxps[:]//hypertextteches[.]com/patrified.php;\r\nhxxps[:]//accounts[.]hypertexttech[.]com/oOzMeNTe?FtC=DLOJmne17BQw5JRQ74YDgmHxR52d0Ng\r\nhxxps[:]//accounts[.]hypertexttech[.]com/signin/v2/identifier?\r\npassive=1209600\u0026continue=https%3A%2F%2Faccounts[.]google[.]com%2F\u0026followup=https%3A\r\n%2F%2Faccounts[.]google[.]com%2F\u0026flowName=GlifWebSignIn\u0026flowEntry=ServiceLogin\r\nhxxps[:]//accounts[.]hypertexttech[.]com/ServiceLogin?\r\ncontinue=https%3A%2F%2Faccounts[.]google[.]com%2F\u0026flowEntry=ServiceLogin\u0026flowName=\r\nGlifWebSignIn\u0026followup=https%3A%2F%2Faccounts[.]google[.]com%2F\u0026passive=1209600\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 3 of 8\n\nFigure 4 – Google themed phishing page\r\nThe phishing page contains an email address that we assess is likely used by Blue Callisto for testing. The page\r\nstatically sets the email address value to tr333lopex as shown in Figure 5.\r\nFigure 5 – Statically set email observed in code\r\nUS National Labs interest\r\nBlue Callisto often inputs emails of interest statically into form input fields. In one of these instances, we observed\r\nphishing activity spoofing US National Laboratories in July 2022. Specifically, on 12th June 2022 we observed\r\nthe domain registration goo-ink[.]online, which resolved to 89.147.108[.]182 from 25th July 2022 (which we\r\nassess is phishing infrastructure used by Blue Callisto). The goo-ink[.]online domain contained a Brookhaven\r\nNational Laboratory phishing page, statically setting a Brookhaven Lab email in the input form field as shown in\r\nFigure 6. The email address of interest observed on the phishing page is linked to non-proliferation and\r\naccountability initiatives for nuclear materials in Russia and elsewhere. During this phishing activity we also\r\nobserved interest by Blue Callisto in Lawrence Livermore National Laboratory based on URLs we observed on\r\ngoo-ink[.]online.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 4 of 8\n\nFigure 6 – Brookhaven National Laboratory phishing page\r\nIn August 2022, Microsoft reported on Blue Callisto infrastructure that they had taken action against,8 including\r\nthe domain goo-link[.]online. This domain was registered on 21st April 2022 and started to resolve to the IP\r\naddress 93.95.227[.]41 on 22nd April 2022, and which was used for phishing activity. A list of attributes with\r\nsome comparison of server features and headers is shown in Table 1. We assess both domains are likely Blue\r\nCallisto activity.\r\n  goo-link[.]online goo-ink[.]online\r\nRegistrar Hostinger Hostinger\r\nServer Technology Apache 2.4.37 Apache 2.4.37\r\nServer Technology OpenSSL 1.1.1k OpenSSL 1.1.1k\r\nIP resolution 93.95.227[.]41 89.147.108[.]182\r\nIPs ASN 1984-Ehf (AS44925) 1984-Ehf (AS44925)\r\nObservations Phishing Phishing\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 5 of 8\n\nTable 1 - Domain attributes and links\r\nConclusion\r\nDespite limited observations of broad activity, Blue Callisto is highly likely to remain active. In October 2022, we\r\nobserved the threat actor is interested in an organisation which investigates war crimes; motives that would\r\nbroadly align with a Russia-based threat group’s collection objectives. The threat actor’s tools, techniques and\r\nprocedures (TTPs) contained slight shifts during 2022, such as network provider preferences and use of phishing\r\ntechnologies such as Evilginx. However, the threat actor continues to use some TTPs observed as far back as 2019\r\nand continues to enjoy success from its phishing activity using legacy tradecraft.\r\nIndicators of Compromise\r\nIndicator Type\r\ncache-dns-forwarding[.]com Domain\r\naccounts[.]hypertexttech[.]com Domain\r\nhypertextteches[.]com Domain\r\ngoo-link[.]online Domain\r\ngoo-ink[.]online Domain\r\nhxxps[:]//hypertextteches[.]com/patrified.php URL\r\nhxxps[:]//accounts[.]hypertexttech[.]com/oOzMeNTe?\r\nFtC=DLOJmne17BQw5JRQ74YDgmHxR52d0Ng\r\nURL\r\nhxxps[:]//accounts[.]hypertexttech[.]com/signin/v2/identifier?\r\npassive=1209600\u0026continue=https%3A%2F%2Faccounts[.]google[.]com\r\n%2F\u0026followup=https%3A%2F%2Faccounts[.]google[.]com%2F\u0026flowNa\r\nme=GlifWebSignIn\u0026flowEntry=ServiceLogin\r\nURL\r\nhxxps[:]//accounts[.]hypertexttech[.]com/ServiceLogin?\r\ncontinue=https%3A%2F%2Faccounts[.]google[.]com%2F\u0026flowEntry=Ser\r\nviceLogin\u0026flowName=GlifWebSignIn\u0026followup=https%3A%2F%2Facco\r\nunts[.]google[.]com%2F\u0026passive=1209600 URL\r\nURL\r\n93.95.227[.]41\r\nIPv4\r\nAddress\r\n89.147.108[.]182\r\nIPv4\r\nAddress\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 6 of 8\n\n92.38.169[.]241\r\nIPv4\r\nAddress\r\n138.124.187[.]128\r\nIPv4\r\nAddress\r\n185.164.172[.]128\r\nIPv4\r\nAddress\r\n37.9.35[.]62\r\nIPv4\r\nAddress\r\n92.38.176[.]66\r\nIPv4\r\nAddress\r\nMITRE ATT\u0026CK\r\nPhishing: Spearphishing Link - https://attack.mitre.org/techniques/T1566/002/Command and\r\nScripting Interpreter: JavaScript - https://attack.mitre.org/techniques/T1059/007/\r\nDeobfuscate/Decode Files or Information - https://attack.mitre.org/techniques/T1140/\r\nSystem Information Discovery - https://attack.mitre.org/techniques/T1082/\r\nFootnotes\r\n[1] 'Disrupting SEABORGIUM’s ongoing phishing operations', Microsoft,\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/ (15th August 2022)\r\n[2] Callisto Group, F-Secure, https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf (n.d)\r\n[3] 'Callisto Group hackers targeted Foreign Office data', BBC News, https://www.bbc.co.uk/news/technology-39588703 (13th April\r\n2017)\r\n[4] CTO-TIB-20200820-01A - Callisto targets UK Government and Universities\r\n[5] CTO-TIB-20220511-01A - Tracking Callisto infrastructure\r\n[6] JSFuck, JSFuck, http://www.jsfuck.com/\r\n[8] 'Disrupting SEABORGIUM’s ongoing phishing operations', Microsoft,\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/ (15th August 2022)\r\n[9] 'Disrupting SEABORGIUM’s ongoing phishing operations', Microsoft,\r\nhttps://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/ (15th August 2022)\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 7 of 8\n\nSource: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html" ], "report_names": [ "blue-callisto-orbits-around-us.html" ], "threat_actors": [ { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434246, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca71d44a9109d6fa5cd4a2f05fda233177e5e216.pdf", "text": "https://archive.orkl.eu/ca71d44a9109d6fa5cd4a2f05fda233177e5e216.txt", "img": "https://archive.orkl.eu/ca71d44a9109d6fa5cd4a2f05fda233177e5e216.jpg" } }