NATO Research Sectors Targeted by Russian Calisto Hackers Using ClickFix Code

A recent investigation by Sekoia.io’s Threat Detection & Response (TDR) team has revealed a new wave of spear phishing campaigns conducted by the Russia-linked intrusion set Calisto, also known as ColdRiver or Star Blizzard.

The campaigns, observed in May and June 2025, targeted international organizations, including the French NGO Reporters Without Borders (RSF) and several NATO-related research sectors.

Calisto, which Western intelligence agencies attribute to Russia’s Federal Security Service (FSB) Center 18 for Information Security, has been active since 2017.

The group is known for cyber-espionage operations aimed at stealing credentials and intelligence from entities supporting Ukraine. Its operations closely align with Russian strategic priorities and have continued to evolve technically and operationally.

Sophisticated Phishing Using ClickFix and AiTM Tactics

The latest campaign leveraged a new infection method based on the ClickFix technique a social engineering tactic that tricks targets into executing malicious code under the guise of document verification.

In the most recent incidents, Calisto impersonated trusted contacts using forged ProtonMail addresses.

Emails often appeared genuine but lacked attachments, prompting recipients to request a resend. The attackers then delivered a malicious “follow-up” file masquerading as a secure PDF.

In one confirmed case, the attached file carried a .pdf extension but was, in reality, a compressed .zip archive leading to a decoy PDF hosted on ProtonDrive.

When users followed the embedded link, they were redirected through a compromised website running a PHP-based redirector, which funneled them to a phishing kit mimicking ProtonMail’s login page.

The kit deployed an Adversary-in-the-Middle (AiTM) mechanism, allowing the attackers to intercept credentials and potentially bypass two-factor authentication.

Sekoia.io’s analysts detonated one of the phishing kits for technical assessment. The code revealed attacker-controlled APIs and JavaScript injections that modified ProtonMail’s legitimate login interface to harvest user credentials.

Even failed or 404-style responses from the fake login page were only cosmetic; authentication attempts succeeded on the real ProtonMail platform, confirming credential compromise.

Further analysis identified related infrastructure associated with domains registered through Namecheap and Regway, revealing a consistent pattern in Calisto’s infrastructure management.

The servers were divided between phishing webpage hosts and backend API handlers, supporting attribution with medium confidence.

Despite extensive reporting from global cybersecurity agencies, Calisto shows no signs of slowing down.

Its continued use of advanced obfuscation techniques and realistic impersonation underscores the persistent threat facing NGOs, defense contractors, and research institutes participating in Ukraine-related projects.

Organizations engaged in humanitarian or defense activities are advised to verify communications, turn off automatic downloads, and implement enhanced monitoring for ProtonMail-based phishing attempts.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post NATO Research Sectors Targeted by Russian Calisto Hackers Using ClickFix Code appeared first on Cyber Security News.