Russian Calisto Hackers Launch ClickFix Attack on French NGO Reporters

A Russia-linked hacking group known as Calisto (also called ColdRiver or Star Blizzard) has launched a new spear-phishing campaign against the French NGO Reporters Without Borders (RSF), according to researchers from Sekoia.io’s Threat Detection and Research (TDR) team.

The intrusion set, active since at least 2017 and attributed to Russia’s Federal Security Service (FSB) Center 18, continues cyber espionage operations against organizations supporting Ukraine and Western democratic institutions.

In March 2025, a core RSF member received a suspicious email that appeared to come from a trusted contact, spoofed to use a ProtonMail address.

The attacker asked the recipient to review a document but deliberately omitted the attachment a deceptive tactic Calisto often uses to prompt the victim to request the missing file.

When the RSF member replied, the threat actor sent a second email containing a link to a compromised website that acted as a redirector, forwarding users to a ProtonDrive URL hosting what appeared to be a PDF file.

The ProtonMail account was later blocked, preventing analysts from retrieving the payload, but the lure matched Calisto’s known techniques for credential theft and document-based phishing.

Malicious Redirectors and AiTM Kit

A second victim reported receiving a fake “.pdf” file that was actually a ZIP archive masquerading as a PDF. The file displayed a decoy message claiming the document was encrypted and instructing users to click a link to open it in ProtonDrive.

Victims who clicked that link were redirected via a malicious PHP script on a breached website before reaching a phishing kit hosted on the account. simpleasip[.]org.

The homemade phishing kit imitated ProtonMail’s login page and used Adversary-in-the-Middle (AiTM) techniques to capture credentials and two-factor authentication codes.

Injected JavaScript pre-filled victims’ usernames, forced focus on the password field, and relayed authentication requests to an attacker-controlled API (scorelikelygateway.simleasip[.]org).

Researchers confirmed successful credential theft via a session originating from IP 196.44.117[.]196, linked to the Big Mama Proxy service.

Further analysis revealed multiple C2 and phishing domains registered through Namecheap and Regway, including proton-decrypt[.]com, applicationformsubmit[.]me, and simleasip[.]org.

These indicators tie back to Calisto’s previous operations targeting NATO entities, Ukrainian defense contractors, and European think tanks.

Despite international exposure, the group continues to leverage ClickFix and AiTM techniques to compromise the accounts of NGOs, researchers, and Ukraine-supporting organizations.

Sekoia.io warns that NGOs and journalists engaged in Ukrainian support or human rights work remain high-value targets for ongoing Russian cyber espionage campaigns.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Russian Calisto Hackers Launch ClickFix Attack on French NGO Reporters appeared first on Cyber Security News.