{ "id": "57df078a-7463-4da7-b376-f3b2e27615c5", "created_at": "2026-04-06T00:18:59.074784Z", "updated_at": "2026-04-10T03:35:41.999574Z", "deleted_at": null, "sha1_hash": "fcba815454d0282f48aaf21b34142be95baf3328", "title": "Cold River - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64080, "plain_text": "Cold River - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:19:55 UTC\r\n APT group: Cold River\r\nNames\r\nCold River (Lastline)\r\nNahr el bared (original place)\r\nNahr Elbard (transliteration)\r\nCobalt Edgewater (SecureWorks)\r\nTA446 (Proofpoint)\r\nSeaborgium (Microsoft)\r\nTAG-53 (Recorded Future)\r\nBlueCharlie (Recorded Future)\r\nBlue Callisto (PWC)\r\nCalisto (Sekoia)\r\nStar Blizzard (Microsoft)\r\nUNC4057 (Mandiant)\r\nIRON FRONTIER (SecureWorks)\r\nGrey Pro (?)\r\nMythic Ursa (Palo Alto)\r\nGossamer Bear (CrowdStrike)\r\nCountry Russia\r\nSponsor State-sponsored, FSB Centre 18: Centre for Information Security (TsIB)\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription (Lastline) While reviewing some network anomalies, we recently uncovered Cold\r\nRiver, a sophisticated threat actor making malicious use of DNS tunneling for\r\ncommand and control activities. We have been able to decode the raw traffic in\r\ncommand and control, find sophisticated lure documents used in the campaign,\r\nconnect other previously unknown samples, and associate a number of legitimate\r\norganizations whose infrastructure is referenced and used in the campaign.\r\nThe campaign targets Middle Eastern organizations largely from the Lebanon and\r\nUnited Arab Emirates, though, Indian and Canadian companies with interests in\r\nthose Middle Eastern countries are also targeted. There are new TTPs used in this\r\nattack – for example Agent_Drable is leveraging the Django python framework for\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98\r\nPage 1 of 3\n\ncommand and control infrastructure, the technical details of which are outlined later\nin the blog.\nObserved\nSectors: Defense, NGOs, Think Tanks.\nCountries: Canada, India, Lebanon, UAE, Ukraine, USA, NATO.\nTools used DNSpionage, LOSTKEYS, SPICA.\nOperations performed\nFeb 2022\nBlue Callisto orbits around US Laboratories in 2022\nMar 2022\nCOLDRIVER, a Russian-based threat actor sometimes referred to as\nCalisto, has launched credential phishing campaigns, targeting several\nUS based NGOs and think tanks, the military of a Balkans country, and\na Ukraine based defense contractor. However, for the first time, TAG\nhas observed COLDRIVER campaigns targeting the military of\nmultiple Eastern European countries, as well as a NATO Centre of\nExcellence.\nApr 2022\nCOLDRIVER, a Russian-based threat actor sometimes referred to as\nCallisto, continues to use Gmail accounts to send credential phishing\nemails to a variety of Google and non-Google accounts.\nJul 2022\nExposing TAG- 53’s Credential Harvesting Infrastructure Used for\nRussia-Aligned Espionage Operations\nAug 2022\nRussian hackers targeted U.S. nuclear scientists\nNov 2022\nRussian threat group COLDRIVER expands its targeting of Western\nofficials to include the use of malware\nMar 2023\nBlueCharlie, Previously Tracked as TAG 53, Continues to Deploy New\nInfrastructure in 2023\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98\nPage 2 of 3\n\nSep 2024\nRussian pro-democracy nonprofit investigates alleged data breach by\nKremlin-backed hackers\nNov 2024\nNew Star Blizzard spear-phishing campaign targets WhatsApp\naccounts\nJan 2025\nCOLDRIVER Using New Malware To Steal Documents From Western\nTargets and NGOs\nCounter operations\nAug 2022\nDisrupting SEABORGIUM’s ongoing phishing operations\nOct 2024\nProtecting Democratic Institutions from Cyber Threats\nInformation\nLast change to this card: 28 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98" ], "report_names": [ "showcard.cgi?u=00b16489-daf4-4c61-90bf-0ffba2400e98" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "68d50d91-7569-4e09-b155-98b23b23918a", "created_at": "2023-01-06T13:46:38.877268Z", "updated_at": "2026-04-10T02:00:03.130232Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Nahr Elbard", "Nahr el bared" ], "source_name": "MISPGALAXY:Cold River", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775792141, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fcba815454d0282f48aaf21b34142be95baf3328.pdf", "text": "https://archive.orkl.eu/fcba815454d0282f48aaf21b34142be95baf3328.txt", "img": "https://archive.orkl.eu/fcba815454d0282f48aaf21b34142be95baf3328.jpg" } }