{
	"id": "d21ba5ad-6ecd-4d87-9f4f-e49053a8b94e",
	"created_at": "2026-04-06T00:15:06.411904Z",
	"updated_at": "2026-04-10T13:13:06.315854Z",
	"deleted_at": null,
	"sha1_hash": "fbd5cc78560be9ae2eb0ad18fdb093122fbd11c3",
	"title": "Tracking cyber activity in Eastern Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39843,
	"plain_text": "Tracking cyber activity in Eastern Europe\r\nBy Billy Leonard\r\nPublished: 2022-03-30 · Archived: 2026-04-05 13:23:59 UTC\r\nIn early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking\r\nwith regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of\r\nthreat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China,\r\nIran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related\r\nthemes in an effort to get targets to open malicious emails or click malicious links.\r\nFinancially motivated and criminal actors are also using current events as a means for targeting users. For\r\nexample, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has\r\nalso continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.\r\nAs always, we continue to publish details surrounding the actions we take against coordinated influence\r\noperations in our quarterly TAG bulletin. We promptly identify and remove any such content, but have not\r\nobserved any significant shifts from the normal levels of activity that occur in the region.\r\nHere is a deeper look at the campaign activity TAG has observed over the past two weeks:\r\nCurious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and\r\nmilitary organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact\r\nGoogle products, we remain engaged and are providing notifications to victim organizations.\r\nRecently observed IPs used in Curious Gorge campaigns:\r\n5.188.108[.]119\r\n91.216.190[.]58\r\n103.27.186[.]23\r\n114.249.31[.]171\r\n45.154.12[.]167\r\nCOLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing\r\ncampaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine\r\nbased defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the\r\nmilitary of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were\r\nsent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is\r\nunknown. We have not observed any Gmail accounts successfully compromised during these campaigns.\r\nRecently observed COLDRIVER credential phishing domains:\r\nprotect-link[.]online\r\ndrive-share[.]live\r\nhttps://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/\r\nPage 1 of 2\n\nprotection-office[.]live\r\nproton-viewer[.]com\r\nGhostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing\r\ncampaigns. In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing\r\ntechnique. While TAG has previously observed this technique being used by multiple government-backed actors,\r\nthe media picked up on this blog post, publishing several stories highlighting this phishing capability.\r\nGhostwriter actors have quickly adopted this new technique, combining it with a previously observed technique,\r\nhosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a\r\nlogin page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site.\r\nOnce a user provides credentials in the dialog, they are posted to an attacker controlled domain.\r\nExample of hosting credential phishing landing pages on compromised sites\r\nRecently observed Ghostwriter credential phishing domains:\r\nlogin-verification[.]top\r\nlogin-verify[.]top\r\nua-login[.]top\r\nsecure-ua[.]space\r\nsecure-ua[.]top\r\nThe team continues to work around the clock, focusing on the safety and security of our users and the platforms\r\nthat help them access and share important information. We’ll continue to take action, identify bad actors and share\r\nrelevant information with others across industry and governments, with the goal of bringing awareness to these\r\nissues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine\r\nand Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not\r\ntake advantage of everyone’s focus on this region.\r\nSource: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/\r\nhttps://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/"
	],
	"report_names": [
		"tracking-cyber-activity-eastern-europe"
	],
	"threat_actors": [
		{
			"id": "648e7c31-30eb-4ff2-8685-01ba3766192b",
			"created_at": "2023-01-06T13:46:39.355652Z",
			"updated_at": "2026-04-10T02:00:03.29804Z",
			"deleted_at": null,
			"main_name": "Curious Gorge",
			"aliases": [
				"UNC3742"
			],
			"source_name": "MISPGALAXY:Curious Gorge",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "affb8b7a-fd2b-4764-8c61-f85b04284302",
			"created_at": "2022-10-25T16:07:23.508429Z",
			"updated_at": "2026-04-10T02:00:04.633991Z",
			"deleted_at": null,
			"main_name": "Curious Gorge",
			"aliases": [],
			"source_name": "ETDA:Curious Gorge",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fbd5cc78560be9ae2eb0ad18fdb093122fbd11c3.pdf",
		"text": "https://archive.orkl.eu/fbd5cc78560be9ae2eb0ad18fdb093122fbd11c3.txt",
		"img": "https://archive.orkl.eu/fbd5cc78560be9ae2eb0ad18fdb093122fbd11c3.jpg"
	}
}