BlueCharlie changes attack infrastructure in response to reports on its activity

Pierluigi Paganini August 06, 2023

Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity.

Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER, Star Blizzard (formerly SEABORGIUM), ColdRiver, and TA446) continues to change its attack infrastructure following recent reports on its activity.

The APT group has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

BlueCharlie primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

Recently, Recorded Future Insikt Group observed BlueCharlie building a new infrastructure to launch phishing campaigns and/or credential harvesting. The new attack infrastructure was created starting from March 2023 and consists of 94 new domains.

“Several of the TTPs seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting. Since Insikt Group’s initial tracking of the group in September 2022, we have observed BlueCharlie engage in several TTP shifts.” reads the analysis published by Recorded Future. “These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers.”

Since at least December 17, 2022, the group has used a new naming pattern for its domains containing keywords related to information technology and cryptocurrency. Some examples are cloudrootstorage[.]com, directexpressgateway[.]com, storagecryptogate[.]com, and pdfsecxcloudroute[.]com.


In previous campaigns, the majority of the domains have been registered by BlueCharlie with the Porkbun registrar, followed by NameCheap, Regway, and REGRU.

After the disclosure of the report on previous attacks, seventy-eight of the 94 new domains have been registered using NameCheap.

Researchers recommend that organizations implement multi-factor authentication (MFA), enforce a frequent password reset policy, disable all macros by default in Microsoft Office products, train employees, contractors, and third-party vendors to protect against phishing, spearphishing, and social engineering attacks, properly configure intrusion detection systems (IDS), IPS, or any network defense mechanisms in place.

“BlueCharlie has demonstrated the ability to adapt and evolve over time to public reporting, and will likely continue to change their TTPs based on past precedent. Given the group’s historical use of phishing, were commend network defenders employ robust anti-phishing training and highly encourage the use of a FIDO2-compliant multi-factor authentication token, such as aYubikey.,” concludes the report.

The report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlueCharlie)

you might also like

leave a comment