Russian Calisto APT Targets Reporters Without Borders with Custom AiTM Phishing and “Missing File” Lure
Ddos 
A fresh wave of cyber-espionage attacks has struck the international non-profit sector, with Russian state-sponsored hackers zeroing in on press freedom advocates. Analysts from the Sekoia Threat Detection & Research (TDR) team have revealed a sophisticated spear-phishing campaign targeting the French NGO Reporters Without Borders (RSF).
According to the new report, the attacks occurred earlier this year: “In May and June 2025, TDR team analysts were contacted by two organisations – including the French NGO Reporters Without Borders (RSF) over suspicions of a new spear phishing attempts by the intrusion set Calisto (also known as ColdRiver or Star Blizzard).”
The group behind the attack, Calisto, is no stranger to Western intelligence. Active since 2017, the group is widely attributed to the Russian Federal Security Service (FSB), specifically “Center 18 for Information Security (TsIB), military unit 64829”.
Their objective is clear: intelligence collection against entities supporting Ukraine. As the report notes, “Sekoia.io concurs with such attribution as past Calisto operations investigated by TDR analyst showed objectives and victimology that align closely with Russian strategic interests.”
Calisto has evolved its social engineering playbook. Instead of simply sending a malicious link, they engage the victim in a dialogue to lower their guard. The attackers impersonate trusted contacts using ProtonMail addresses and employ a psychological trick: the “missing” file.
“Calisto spear-phishing campaigns often involve the impersonation of trusted contacts, sending email either forgetting the attachment, or sending a dysfunctional yet benign PDF file, in order to trigger a response for the victim asking for a resend.”
By forcing the victim to ask for the file, the attackers create a false sense of rapport. “We assess this technique is likely to increase the credibility of the exchange.” Once the victim replies, the attacker sends a link to a “cloud storage” location that hosts the actual malicious payload.
The technical analysis reveals a highly targeted infrastructure designed to bypass modern security measures like Two-Factor Authentication (2FA).
1. The Homemade Phishing Kit The attackers did not use off-the-shelf tools. “It appears to be a homemade kit, as we were unable to link any atomic indicators to known frameworks such as Evilginx”. This kit uses an Adversary-in-the-Middle (AiTM) technique to intercept credentials and 2FA codes in real-time.
2. Cursor Hijacking To ensure the victim focuses on the credential harvesting fields, the kit uses aggressive JavaScript. “The username field is pre-filled with the victim’s email address, and malicious JavaScript is injected to keep the user’s cursor focused on the password field.”
3. Infrastructure via “Big Mama” To hide their location, the attackers routed their traffic through residential proxies. Analysis of the attacker’s IP address (196.44.117[.]196) revealed it was “associated with the Big Mama Proxy service.”
The report concludes with a stark warning for the NGO sector. “Therefore, if you are an NGO involved in Ukraine, or an individual or researcher with intelligence on this conflict and partnering with Ukrainian bodies, you are possibly one of the targets of this threat actor.”
Donate