Researchers say a known espionage-focused actor targeted the media nonprofit with tailored credential lures.
What happened
A Russia-aligned threat group attempted to compromise Reporters Without Borders through a phishing campaign earlier this year, according to research published by The Record. Analysts said a core member of the organization received an email in March that impersonated a trusted contact and asked them to review a document, a tactic previously associated with the group known as Callisto, ColdRiver, or Star Blizzard.
Going deeper
The initial message was sent from a ProtonMail account and written in French, using an accurate email signature to appear legitimate. When the recipient asked for the missing document, the attacker replied in English with a link hosted on a compromised website. The link was designed to deliver a malicious PDF, but the file could not be retrieved after ProtonMail blocked the sender's account. Researchers said the sequence matches earlier campaigns where attackers avoid attachments at first and rely on follow-up interaction to advance the attack. The nonprofit has supported journalists under threat and assisted Russian reporters leaving the country, and it was designated an undesirable organization by Russian authorities in August 2025.
What was said
Researchers at Sekoia said the same actor used a similar lure against another unnamed organization, where a decoy PDF instructed the recipient to open the file through ProtonDrive. Clicking the link redirected the user to a phishing page designed to collect ProtonMail credentials. The page pre-filled the email address and used injected code to keep the cursor in the password field, increasing the chance that credentials would be entered. Reporters Without Borders has not publicly commented on the attempted intrusion or the suspected motive.
The big picture
According to SecurityWeek, the group behind the attacks is known by several aliases, including UNC4057, Callisto, ColdRiver, and Seaborgium, and is now commonly tracked as Star Blizzard. The advanced persistent threat group has been active since at least 2019 and has consistently focused on high-value targets such as government agencies, academic institutions, NGOs, and policy think tanks.
In 2023, the U.S. government publicly attributed the group to Russia’s Federal Security Service (FSB). SecurityWeek reported that earlier this year the actors were observed deploying LostKeys malware in campaigns directed at government and military advisers, journalists, non-profits, and research organizations, reinforcing the group’s role in long-running intelligence collection operations rather than opportunistic cybercrime.
FAQs
Who is the Callisto group?
Callisto, also tracked as ColdRiver or Star Blizzard, is a long-running espionage-focused group linked by Western governments to Russian intelligence services.
Why do attackers target nonprofits like Reporters Without Borders?
Such organizations communicate with journalists, activists, and researchers, making their email accounts valuable for intelligence collection.
Why did the attackers avoid sending an attachment initially?
This approach reduces suspicion and encourages interaction, allowing attackers to deliver a follow-up link after trust is established.
What makes ProtonMail-themed lures effective?
Targets who rely on secure email services may be more likely to trust branded prompts related to document access or encryption.
How can organizations reduce exposure to similar attacks?
They can enforce strong authentication, train staff to verify unexpected document requests, restrict access to sensitive accounts, and review login activity for cloud email platforms.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
