A wave of spear-phishing attacks tied to the Russia-aligned intrusion set Star Blizzard, aka ColdRiver or Calisto, has been detected, according to a new report from Sekoia.io’s Threat Detection & Research (TDR) team. The group, active since 2017 and linked by Western governments to Russia’s FSB Center 18, has renewed its focus on Western organizations supporting Ukraine.
The latest activity, reported in May and June 2025, targeted at least two organizations, including Reporters Without Borders (RSF). Researchers say Star Blizzard improved credential-harvesting methods in this campaign. The tactics usually involve impersonating trusted contacts and coaxing victims into requesting a missing file. A victim then receives a follow-up message containing a malicious link.
One RSF case involved a spoofed ProtonMail account sending a French-language request to review a document, without attaching a file. When the targeted member asked for it, attackers responded in English with a link funneled through a compromised site to ProtonDrive. Because ProtonMail blocked the malicious account, the payload couldn’t be retrieved. A second victim received what appeared to be a PDF file but was actually a ZIP archive masked with a .pdf extension, leading to a typical Calisto decoy document urging the user to open it in ProtonDrive.
Sekoia’s analysts uncovered a custom-built AiTM phishing kit hosted on a compromised domain, featuring JavaScript designed to pin the cursor to password fields and relay two-factor authentication to attacker-controlled API endpoints. The infrastructure spanned domains (many linked to Namecheap and earlier ones to Regway) used both for phishing pages and backend API servers.