Russian-backed threat actors continue their sophisticated cyber espionage operations against Western institutions through advanced phishing tactics.
Calisto, a Russia-nexus intrusion set attributed to the Russian FSB’s Center 18 for Information Security (military unit 64829), has emerged as a persistent threat targeting NATO research entities and strategic organizations.
The group has expanded its attack scope to include NGOs and think tanks, focusing on countries supporting Ukraine and Eastern European nations.
The malware campaigns leverage social engineering techniques paired with the ClickFix methodology, a social engineering tactic that manipulates users into taking actions that compromise security.
These attacks operate through carefully crafted spear-phishing emails that impersonate trusted contacts, using psychological manipulation to lure victims into downloading malicious files or visiting compromised infrastructure.
Phishing email against reporters (Source – Sekoia)
Sekoia security analysts identified the malware after observing coordinated attacks against high-value targets.
The group employed decoy emails with missing attachments or broken PDF files, prompting victims to request resends.
Calisto PDFs leading to phishing webpages (Source – Sekoia)
Once engaged in correspondence, attackers deliver malicious payloads through redirected links hosted on compromised websites.
This multi-stage approach increases credibility while maintaining operational security. The technical infrastructure reveals sophisticated attack chains.
Phishing redirectors utilize PHP scripts deployed on compromised servers, accepting token parameters through GET requests resembling standard tracking codes.
Upon activation, malicious JavaScript redirects users to credential harvesting portals. The custom phishing kit, hosted on account.simpleasip[.]org, specifically targets ProtonMail accounts through an Adversary-in-the-Middle technique.
Calisto phishing kit for Protonmail (Source – Sekoia)
The interface injects malicious JavaScript code that maintains forced cursor focus on password fields every 250 milliseconds, preventing user navigation.
When users enter credentials, the injected code interacts with attacker-controlled APIs positioned on scorelikelygateway.simLeasip[.]org, relaying authentication data while presenting legitimate-appearing CAPTCHA and two-factor authentication prompts to maintain the deception.
Infection Mechanism and Persistence Tactics
Upon successful credential capture, the phishing kit attempts to fetch valid endpoints from ProtonMail’s infrastructure to maintain operational appearance.
The attackers utilize proxy services, with logs revealing access from IP address 196.44.117[.]196 associated with the Big Mama Proxy service. The infrastructure analysis demonstrates persistent evolution of attack patterns.
Calisto registers domains through multiple registrars, initially using Regway before transitioning to Namecheap’s free and standard authoritative servers, enabling threat intelligence analysts to track and correlate attack campaigns with medium confidence.
Despite extensive public disclosures, Calisto continues expanding phishing operations targeting Ukraine supporters. Organizations involved in humanitarian work, press freedom advocacy, and strategic research remain primary targets aligned with Russian intelligence priorities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Russian Calisto Hackers Target NATO Research Sectors with ClickFix Malicious Code appeared first on Cyber Security News.
