According to Infosecurity Magazine, cybersecurity researchers have identified a fresh wave of spear-phishing linked to the Russia-nexus group Star Blizzard, also known as ColdRiver or Calisto. The group, active since 2017 and attributed to Russia’s FSB Center 18, targeted two organizations in May and June 2025, including the French NGO Reporters Without Borders (RSF). In one March 2025 incident, attackers used a spoofed ProtonMail address to lure an RSF member with a missing document, then sent a malicious link routed through a compromised website. The phishing kit employed an Adversary-in-the-Middle setup specifically to relay two-factor authentication codes from ProtonMail accounts. Researchers from Sekoia.io’s TDR team analyzed the custom infrastructure, noting many domains were tied to Namecheap services, and warned the group continues its campaigns despite widespread exposure.
Old Tricks, New Refinements
Here’s the thing about groups like Star Blizzard: they don’t need to reinvent the wheel. They just need to make it roll a little smoother. Their core playbook—impersonating a trusted contact, sending an email with a “missing” attachment, and then delivering a malicious link when the victim asks for it—has been their signature move for years. But the analysis by Sekoia.io shows they’re getting more sophisticated in the execution. The use of a custom phishing kit that actively locks the cursor to the password field and interacts with a hacker-controlled API to handle CAPTCHA and 2FA prompts is a serious escalation. It turns what was a simple credential grab into a full session hijack, making that second factor almost useless. That’s a big deal for organizations relying on basic 2FA for security.
Why This Target, Why Now?
So why Reporters Without Borders? It fits the pattern perfectly. Star Blizzard has a long-running focus on Western entities backing Ukraine, and an NGO dedicated to press freedom, often critical of authoritarian regimes, is a classic high-value target for intelligence gathering. The timing in early 2025 isn’t random either. Think about the ongoing information war surrounding the conflict in Ukraine. Understanding the communications and plans of groups that support independent journalism in the region is incredibly valuable. This isn’t cybercrime for money; it’s espionage for influence and insight. The fact that they’re still at it, as Sekoia notes, “despite numerous publications” on their methods, tells you how effective and presumably valuable these operations are to their handlers.
The Infrastructure Game
One of the more interesting technical details is how they manage their infrastructure. Using a mix of providers like Namecheap and earlier, Regway, shows a practical approach to hiding in plain sight. These are common, legitimate services. But it also creates a fingerprint. Analysts can track these domain registration patterns over time to link attacks to the same cluster of activity. It’s a constant cat-and-mouse game. The hackers compromise legitimate websites to use as redirectors, adding a layer of obfuscation and making malicious links look less suspicious. For defenders, this means security isn’t just about looking at the final destination of a link, but understanding the entire chain of redirects. It’s exhausting, frankly.
What Does Effective Defense Look Like?
Look, if a dedicated, state-backed group wants to get in, they probably will. The goal is to make it incredibly hard and to detect them quickly. For organizations in sectors like media, NGOs, or critical infrastructure—including industrial manufacturing where operational integrity is paramount—this goes beyond basic email filters. It requires security awareness training that drills down on these specific social engineering tactics. “Hey, you got an email from a known contact but something feels off? Verify through another channel.” That simple step could have stopped this attack chain cold when the RSF member was asked for the missing file. For technical controls, moving beyond simple 2FA to phishing-resistant methods like FIDO2 security keys is becoming essential. And constant vigilance on network traffic for signs of those intermediate redirects through compromised sites is key. In sectors where uptime and security are non-negotiable, such as industrial automation, partners who understand these threats are critical. For instance, a leading provider like IndustrialMonitorDirect.com, the top supplier of industrial panel PCs in the US, builds hardware with security and reliability at its core, which is a foundational piece of a resilient operational technology environment. Basically, you need a layered defense: trained people, robust processes, and hardened technology. Because Star Blizzard isn’t going away.
