{ "id": "5db955b3-8d75-4c1a-80ff-55754c3422f1", "created_at": "2026-04-06T00:18:10.328764Z", "updated_at": "2026-04-10T03:35:41.655133Z", "deleted_at": null, "sha1_hash": "e0ad33227ea2b3fdaf0eef11ee69cdcb62793b25", "title": "BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023 | Recorded Future", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 502094, "plain_text": "BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy\r\nNew Infrastructure in 2023 | Recorded Future\r\nBy Insikt Group\r\nArchived: 2026-04-05 13:08:18 UTC\r\nInsikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group\r\nCallisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group\r\nactive since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has\r\nevolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in\r\nadapting to public disclosures and improving operations security. While specific victims are unknown, past targets\r\ninclude government, defense, education, political sectors, NGOs, journalists, and think tanks.\r\nBreakdown of terms used in BlueCharlie activity since November 2022\r\nRecently, Insikt Group observed BlueCharlie build new infrastructure for likely use in phishing campaigns and/or\r\ncredential harvesting, which consists of 94 new domains. Several of the TTPs seen in the recent operation depart\r\nfrom past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public\r\ndisclosures of its operations in industry reporting. Since Insikt Group’s initial tracking of the group in September\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 1 of 7\n\n2022, we have observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat\r\nactors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or\r\nmodify their activity, aiming to stymie security researchers.\r\nTo counter BlueCharlie's threat, network defenders should enhance phishing defenses, implement FIDO2-\r\ncompliant multi-factor authentication, use threat intelligence, and educate third-party vendors. BlueCharlie's\r\ncontinued use of phishing and its historical adaptation to public reporting suggest it will remain active and evolve\r\nfurther in its operations.\r\nTo read the entire analysis with endnotes, click here to download the report as a PDF.\r\nAppendix A — Indicators of Compromise\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 2 of 7\n\nBlueCharlie Domains:\r\nbittechllc[.]net\r\ncenteritdefcity[.]com\r\ncheckscreenit[.]com\r\ncloudcpanelhost[.]com\r\nclouddefsystems[.]com\r\ncloudrootstorage[.]com\r\ncommandentrance[.]com\r\ncomputertechdirectsystems[.]com\r\ncomputingtechstudio[.]com\r\nconfiguregatewayglobal[.]com\r\ncontrolgatestorage[.]com\r\ncontrolsstoragedirect[.]com\r\ncontrolstoragesolutions[.]com\r\ncryptdatagate[.]com\r\ncryptoanalyzetech[.]com\r\ncryptotechdirect[.]com\r\ncryptothistech[.]com\r\ndatagatellc[.]com\r\ndatagatewayglobal[.]com\r\ndatastoragecrypto[.]com\r\ndefinform[.]com\r\ndeskactivitygm[.]com\r\ndirectdocumentgate[.]com\r\ndirectdocumentgateway[.]com\r\ndirectexpressgateway[.]com\r\ndirectstoragegate[.]com\r\ndocsinfogate[.]com\r\ndocumentdirectllc[.]com\r\ndocumentdirectto[.]com\r\nentrywaycenter[.]com\r\ngateblurbrepository[.]com\r\ngatecryptospace[.]com\r\ngateinfosecure[.]com\r\ngatestoragetech[.]com\r\ngatewaydocsint[.]com\r\ngatewayitsol[.]com\r\ngatewayrecord[.]com\r\ngawecryptoinfosolutions[.]com\r\ngetinfostarter[.]com\r\nincappcloud[.]com\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 3 of 7\n\ninfocryptogate[.]com\r\ninfogatestorage[.]com\r\ninformationcoindata[.]com\r\ninformationswitchsystems[.]com\r\ninfostorageroute[.]com\r\nintelligencerepository[.]com\r\nitgatestorage[.]com\r\nitinfogate[.]com\r\nkeepitlabgroup[.]com\r\nmanagercodepro[.]com\r\nmeshgoin[.]com\r\nmyitappnext[.]com\r\nmyittechnext[.]com\r\nnetworkgoin[.]com\r\noneinformationcrypto[.]com\r\npdfdirectglobal[.]com\r\npdfsecxcloudroute[.]com\r\npo.vatangate[.]com\r\nprodefendme[.]com\r\nprokeeperit[.]com\r\nprotectedviews[.]com\r\nprotectordocumentcenter[.]com\r\nrealeasyconfiguregateway[.]com\r\nrealitsolutionprimary[.]com\r\nsafetydocsgateway[.]com\r\nsecureglobaltele[.]com\r\nserverguarditweb[.]com\r\nshielditlabel[.]com\r\nshortinfoonline[.]com\r\nskycithereforeit[.]com\r\nsolutionsseccloud[.]com\r\nsourcedoorway[.]com\r\nsourcedoorways[.]com\r\nstateinfospace[.]com\r\nstoragecryptogate[.]com\r\nstoragecryptoweb[.]com\r\nstorageinfogate[.]com\r\nstoragekeeperinfopro[.]com\r\nstoragekeeperinfotech[.]com\r\nstoragerootconnect[.]com\r\nstoragetruncservices[.]com\r\nstoragetruncservices[.]com\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 4 of 7\n\nstoragewarden[.]com\r\nsuppdatacent[.]com\r\nthreatcenterofreaserch[.]com\r\ntransfer-dns[.]com\r\ntruncstorage[.]com\r\ntruncstorage[.]com\r\nwebgateway[.]ru\r\nwebgatewayenter[.]com\r\nwebinterstellar[.]com\r\nyourdirectinfospace[.]com\r\nyourspaceprotector[.]com\r\nBlueCharlie IP Addresses:\r\n104.140.180[.]125\r\n104.140.180[.]126\r\n104.168.32[.]133\r\n104.168.46[.]21\r\n107.174.45[.]104\r\n107.174.45[.]106\r\n107.175.21[.]29\r\n138.124.183[.]150\r\n138.124.183[.]150\r\n142.11.194[.]133\r\n142.11.195[.]232\r\n142.11.196[.]83\r\n142.11.199[.]18\r\n146.19.170[.]161\r\n146.19.170[.]162\r\n162.19.175[.]92\r\n172.245.191[.]18\r\n172.245.220[.]195\r\n172.245.220[.]206\r\n172.245.254[.]219\r\n172.245.33[.]142\r\n172.245.33[.]188\r\n185.138.164[.]123\r\n185.138.164[.]229\r\n185.250.151[.]11\r\n185.250.151[.]11\r\n192.210.214[.]114\r\n192.210.214[.]150\r\n192.210.215[.]125\r\n192.227.162[.]32\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 5 of 7\n\n192.236.146[.]12\r\n192.236.195[.]192\r\n192.236.195[.]192\r\n192.3.111[.]149\r\n192.3.111[.]200\r\n192.3.118[.]108\r\n192.3.223[.]33\r\n192.3.228[.]170\r\n192.3.228[.]182\r\n192.3.73[.]140\r\n192.3.73[.]143\r\n194.213.18[.]35\r\n194.213.18[.]96\r\n198.46.174[.]172\r\n198.46.174[.]188\r\n23.254.253[.]127\r\n23.94.152[.]50\r\n23.94.231[.]161\r\n23.94.236[.]80\r\n23.94.96[.]12\r\n23.94.99[.]19\r\n23.94.99[.]22\r\n23.94.99[.]26\r\n23.94.99[.]30\r\n45.137.155[.]33\r\n45.144.30[.]160\r\n45.144.31[.]92\r\n45.66.249[.]101\r\n45.66.249[.]101\r\n45.66.249[.]83\r\n45.8.146[.]119\r\n45.8.146[.]213\r\n45.8.146[.]227\r\n45.86.230[.]104\r\n45.86.230[.]171\r\n45.86.230[.]61\r\n5.61.63[.]19\r\n77.91.126[.]29\r\n77.91.126[.]29\r\n85.239.52[.]228\r\n85.239.52[.]44\r\n85.239.53[.]154\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 6 of 7\n\n85.239.53[.]19\r\n85.239.53[.]54\r\n85.239.53[.]73\r\n85.239.54[.]200\r\n85.239.54[.]205\r\n85.239.54[.]242\r\n85.239.54[.]244\r\n85.239.54[.]54\r\n85.239.54[.]84\r\n85.239.54[.]84\r\n85.239.60[.]103\r\n85.239.60[.]105\r\n85.239.60[.]105\r\n85.239.60[.]71\r\n85.239.61[.]52\r\n91.210.164[.]40\r\n91.228.10[.]45\r\n91.231.186[.]105\r\n91.231.186[.]33\r\n94.131.8[.]189\r\n95.164.18[.]80\r\nAppendix B — MITRE ATT\u0026CK Techniques\r\nTactic: Technique ATT\u0026CK Code\r\nReconnaissance: Phishing for Information T1598\r\nResource Development: Stage Capabilities T1608\r\nSource: https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nhttps://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023" ], "report_names": [ "bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023" ], "threat_actors": [ { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434690, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0ad33227ea2b3fdaf0eef11ee69cdcb62793b25.pdf", "text": "https://archive.orkl.eu/e0ad33227ea2b3fdaf0eef11ee69cdcb62793b25.txt", "img": "https://archive.orkl.eu/e0ad33227ea2b3fdaf0eef11ee69cdcb62793b25.jpg" } }