A fresh wave of spear-phishing activity linked to the Russia-nexus intrusion set Star Blizzard, also known as ColdRiver or Calisto, has been identified by cybersecurity researchers.
The group has been active since 2017 and is attributed by several Western governments to Russia’s FSB Center 18.
According to a new analysis by Sekoia.io’s TDR team, the latest incidents were reported in May and June 2025 by two organizations, including Reporters Without Borders (RSF), prompting a closer look at how the operators refined their credential-harvesting techniques.
A Familiar Intrusion Set Expands Its Focus
The new series of phishing attempts follows Star Blizzard’s long-running focus on Western entities backing Ukraine.
The group is known for impersonating trusted contacts and prompting targets to request missing or malfunctioning attachments. Once the victim requests the file, the attacker sends a second message containing a link to malware or a phishing page.
In one case involving RSF in March 2025, a ProtonMail address mimicking a legitimate contact sent a French-language email asking a core member to review a document. No file was attached.
When the member requested it, the operators replied in English with a link routed through a compromised website to a ProtonDrive URL. However, the file itself could not be retrieved because ProtonMail had blocked the associated account.
Read more : Russian Coldriver Hackers Deploy New ‘NoRobot’ Malware
A second victim received a file labeled as a PDF that was actually a ZIP archive disguised with a .pdf extension. The final stage of the attack used a typical Calisto decoy PDF that claimed to be encrypted and instructed the user to open it in ProtonDrive. The link again sent the target through a redirector hosted on a compromised website.
Infrastructure Points to Ongoing Activity
The phishing kit analyzed by TDR, located on account.simpleasip[.]org, appeared to be custom built.
It targeted ProtonMail accounts using an Adversary-in-the-Middle (AiTM) setup that relays two-factor authentication (2FA). Analysts found injected JavaScript designed to keep the cursor locked to the password field and to interact with an attacker-controlled API for handling CAPTCHA and 2FA prompts.
Key observations included:
-
Modified ProtonMail interface elements
-
Persistent password-field focus
-
API-based credential processing
Star Blizzard’s infrastructure included servers hosting phishing pages and others serving as API endpoints. Many domains were tied to Namecheap services, while some earlier ones were registered via Regway to help analysts track the cluster over time.
“Despite numerous publications on this threat actor, Calisto continues its spear-phishing campaigns for credential harvesting or code execution via the ClickFix technique,” Sekoia warned.
“We are at the disposal of any NGO wishing to analyse and/or attribute attack campaigns to a cluster of activity.”
