The Case of the Vanishing Attachment and the Stolen Login
- FAIR INTEL
- 2 minutes ago
- 13 min read
December 15, 2025
Synopsis
The analysis indicates a suspected state-aligned espionage actor is using targeted, conversational spearphishing that impersonates trusted contacts, leverages “missing/failed attachment” grooming, and routes victims through compromised-site redirectors to an AiTM-capable phishing kit that can capture credentials and relay 2FA, with primary risk concentrated in email identities, sessions, and the sensitive communications reachable through compromised accounts. Strategically, this shifts decision-making toward identity and communications resilience as a mission-critical control domain (phishing-resistant MFA, partner trust protection, and governance-backed verification requirements), operationally it prioritizes integrated email-to-identity monitoring and incident playbooks that treat suspicious threads and redirect chains as high-risk precursors, and tactically it drives focused detections and hunts that correlate message replies, link clicks, redirect behavior, and anomalous authentication events. Risk posture degrades because the attack path reduces the protective value of standard MFA and exploits predictable human behaviors and compromised third-party infrastructure, increasing susceptibility for high-exposure roles and partner-facing workflows. Financial resilience is affected by the likelihood of recurring response costs, identity recovery and forensics effort, and potentially higher secondary losses if stolen trust relationships enable downstream targeting of partners or stakeholders, making prevention, detection, and rapid containment economically preferable to extended compromise and reputational fallout.
Evaluated Source, Context, and Claim
Artifact Title
French NGO Reporters Without Borders targeted by Calisto in recent campaign
Source Type
Cybersecurity blog post published on the Malwarebytes Labs website.
Publication Date: December 3, 2025
Credibility Assessment
High credibility: this is a detailed, vendor-authored investigation with technical artifacts (e.g., infrastructure, phishing-flow analysis) and is corroborated by independent reporting/RSF’s public statement.
General Claim
In 2025, the Russia-nexus Calisto intrusion set used spearphishing, trusted-contact impersonation, and redirector-based credential harvesting (including AiTM-style tactics) to target NGOs and other entities linked to Ukraine support, including Reporters Without Borders.
Narrative Reconstruction
The OSINT describes a suspected state-aligned espionage actor (Calisto/ColdRiver/Star Blizzard) conducting a spearphishing operation that uses trusted-contact impersonation, “missing/failed attachment” conversational grooming, and follow-up links that route victims through compromised-site redirectors to a credential-harvesting phishing kit that can relay 2FA (AiTM-like behavior). Targets appear to be NGO personnel and other Ukraine-related stakeholders, with likely assets including email accounts (e.g., ProtonMail), associated identities/2FA sessions, and any sensitive communications or documents accessible after account compromise; the operational goal is collection of intelligence via account access and follow-on intrusion opportunities.
Risk Scenario
Risk Scenario
A state-aligned cyber espionage actor conducts targeted spear-phishing campaigns against NGOs, research organizations, and individuals involved in or supporting Ukraine-related activities by impersonating trusted contacts and using deceptive document-sharing workflows. Through staged email exchanges and redirects via compromised websites, the actor harvests credentials and intercepts multi-factor authentication, enabling unauthorized access to victim email accounts and associated communications. Successful compromise exposes sensitive information, enables follow-on targeting of partners and contacts, and creates broader organizational risk through loss of confidentiality, trust erosion, and potential secondary intrusion activity stemming from abused identities.
Threat
A Russia-nexus cyber-espionage intrusion set targeting NGO and policy/defense-adjacent personnel who communicate about, research, or support Ukraine.
Method
The threat actor uses spearphishing and trusted-contact impersonation to trigger a reply, then delivers a link that redirects through compromised infrastructure to a lookalike login experience designed to capture credentials and relay multi-factor authentication.
Asset
Primary assets are user email accounts and identities (credentials, session tokens, 2FA flows) and the sensitive communications, files, and contacts accessible through compromised accounts.
Impact
Loss of confidentiality (exposure of sensitive communications and contacts), increased likelihood of follow-on compromise via password reuse or trusted email abuse, incident response effort, and potential secondary harms (partner trust erosion, legal/regulatory exposure depending on data handled).
Evidentiary Basis for Synopsis and Recommendations
Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.
FAIR Breakdown
Threat Event Frequency (TEF)
Because the OSINT is a campaign write-up without org-specific telemetry, TEF must be inferred from the actor’s repeat targeting of NGOs and Ukraine-related stakeholders and the reuse of established tradecraft. TEF is likely moderate (persistent actor, repeated operations) but constrained by the need for tailored social engineering rather than mass automation.
Contact Frequency (CF)
The campaign uses direct spearphishing and iterative email exchanges (“missing attachment” prompting a resend) rather than broad scanning, indicating a moderate CF focused on selected individuals and organizations. Targeting is sector-focused (NGOs, think tanks, strategic research, Ukraine-support ecosystem) rather than random.
Probably of Action (PoA)
PoA is high because the operation aligns to an intelligence collection mission and uses multi-step deception plus purpose-built infrastructure (redirectors, phishing kit, AiTM-like handling of 2FA), suggesting committed follow-through once a suitable target is engaged.
Threat Capability (TCap)
TCap is moderate-to-high, demonstrated by operational tradecraft and technical enablement beyond basic phishing.
Exploit sophistication: Primarily social-engineering-driven, but with a structured, multi-stage flow (impersonation > redirector > phishing kit).
Bypass ability: Demonstrated ability to defeat common defenses by leveraging compromised websites as redirectors and using a phishing kit that can relay 2FA.
Tooling maturity: “Homemade” phishing kit with client-side logic, injected JavaScript, and API handling to intermediate authentication suggests mature, customized tooling.
Campaign success rate: Likely moderate; success depends on victim interaction, but grooming tactics increase conversion.
Attack path sophistication: High for phishing—multi-email pretexting, file/extension deception, redirector chain, and AiTM-like credential capture.
Cost to run attack: Moderate; infrastructure and customization require effort, but reuse across targets makes it sustainable for an espionage actor.
Control Strength (CS)
Typical user environments have mixed preventive controls; social-engineering–driven installation indicates weak human-layer resistance but potentially moderate technical controls.
Resistive Strength (RS) Effectiveness of preventive/detective controls:
Email security and user-reporting can disrupt the initial lure, but trusted-contact impersonation and conversational grooming reduce effectiveness.
MFA helps, but AiTM-style phishing can reduce MFA’s protective value if users complete the flow on the attacker-controlled page.
Web filtering and detection of suspicious redirects can help, but compromised legitimate sites complicate blocking.
Control Failure Rate
Users may trust familiar names/signatures and comply with “resend the document” pretexts.
Weak link verification and inconsistent URL inspection enable redirector-based flows.
Lack of phishing-resistant MFA (or incomplete deployment) increases credential/session theft risk.
Susceptibility
Estimated susceptibility: 45–65 percent for exposed, relevant users (people in target sectors who receive tailored outreach).
Probability the asset will be harmed is influenced by:
Exploitability: 60–75 percent (high social-engineering leverage; requires interaction but uses credibility-boosting tactics).
Attack surface: 30–50 percent (limited to selected targets in specific orgs/roles, not broad population).
Exposure conditions: 50–70 percent (increases when targets routinely handle external requests/docs/links).
Patch status: Low effect (0–10 percent impact) because the primary path is credential capture via phishing, not software exploitation.
Numerical Frequencies and Magnitudes
All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.
Loss Event Frequency (LEF)
2.4/year (estimated)
Justification: Persistent espionage targeting in the sector, but limited by tailored outreach and target selection.
Vulnerability (probability of harm per contact): .35
Justification: Grooming and AiTM-like handling raise success odds, but user reporting/MFA/web controls prevent many attempts.
Secondary Loss Event Frequency
0.8/year (estimated)
Justification: Not every mailbox compromise leads to broader compromise; assume ~33% of primary events create meaningful secondary impacts (partner targeting, lateral credential reuse, broader IR).
Loss Magnitude
Estimated range:
Min: $10,000
Most Likely: $75,000
Maximum: $350,000
Justification:
Minimum covers basic incident response actions, including password resets, MFA re-enrollment, limited mailbox review, device inspection, and short-duration analyst and IT labor with no confirmed misuse of accessed information.
Most likely includes sustained unauthorized email access requiring full mailbox and identity forensics, expanded incident response and legal consultation, internal coordination, staff downtime, and remediation of any exposed communications or credentials.
Maximum represents compromise of sensitive organizational communications, partner contact lists, or confidential documents, leading to major incident response, external legal and communications support, regulatory or contractual implications, and material reputational harm.
Secondary Loss Magnitude (SLM)
Estimated range:
Min: $25,000
Most Likely: $200,000
Maximum: $1,500,000
Justification:
Minimum covers precautionary follow-up actions by partners or donors, additional monitoring, and minor trust-repair efforts without confirmed downstream compromise or public disclosure.
Most likely includes follow-on phishing or access attempts against partner organizations using stolen trust relationships, requiring coordinated incident response, legal review, increased security spending, and stakeholder assurance activities.
Maximum represents cascading secondary impacts such as partner breaches, public exposure of sensitive NGO activities or individuals, loss of funding or partnerships, legal action, and long-term reputational and operational damage extending beyond the initially affected organization.
Mapping, Controls, and Modeling
MITRE ATT&CK Mapping
Resource Development
T1583.001 – Acquire Infrastructure: Domains
Reference: “Most of the domain names used by Calisto…”
T1583.006 – Acquire Infrastructure: Web Services
Reference: “phishing email came from a ProtonMail address…” and “redirector to a ProtonDrive URL…”
Initial Access
T1566.002 – Phishing: Spearphishing Link
Reference: “containing a link to a previously compromised website… redirector to a ProtonDrive URL”
T1566.001 – Phishing: Spearphishing Attachment
Reference: “sending a dysfunctional yet benign PDF file…” and “a ZIP archive with a .pdf extension”
Execution
T1204 – User Execution
Reference: “instructing the user to click a link to open it in ProtonDrive”
Defensive Evasion
T1036 – Masquerading
Reference: “a ZIP archive with a .pdf extension”
Credential Access
T1557 – Adversary-in-the-Middle
Reference: “can relay two-factor authentication… Adversary-in-the-Middle (AiTM) technique”
NIST 800-53 Affected Controls
AT-2(3) — Literacy Training and Awareness | Social Engineering and Mining
Trusted-contact impersonation and conversational grooming to induce unsafe actions
Reference: “impersonation of trusted contacts… no document was attached… meant to make the recipient ask for the missing file.”
AT-2(4) — Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior
Users receiving mismatched-language follow-ups and suspicious redirect chains requiring reporting/verification
Reference: “responded with another email — this time in English — containing a link to a previously compromised website.”
IA-2 — Identification and Authentication (Organizational Users)
AiTM-style phishing undermines user authentication by proxying the real login and capturing credentials/2FA
Reference: “can relay two-factor authentication… allowing the threat actor to inject malicious JavaScript into the sign-in page.”
IA-5 — Authenticator Management
Controls intended to protect authenticators are directly targeted via credential-harvesting workflows and 2FA relay
Reference: “designed to target ProtonMail accounts… process the credentials… intermediary… handle… 2FA form.”
SI-4 — System Monitoring
Need to detect suspicious web redirects, lookalike login flows, and anomalous access (e.g., new proxy IPs)
Reference: “redirector… forwarded them to the threat actor’s phishing kit… we saw the IP address 196.44.117[.]196 accessing our decoy email account.”
SI-3 — Malicious Code Protection
Phishing pages inject and run attacker-controlled JavaScript in the victim’s browser session (web-layer malicious logic)
Reference: “malicious JavaScript is injected… interacts with an attacker-controlled API…”
SC-7 — Boundary Protection
Redirector infrastructure on compromised websites and external phishing domains creates high-risk egress/ingress paths needing filtering and inspection
Reference: “redirector hosted on a compromised website… forwards them to the threat actor’s phishing kit.”
AU-2 — Event Logging
Authentication attempts, MFA challenges, and suspicious access patterns must be logged to support investigation and detection
Reference: “Upon successful authentication… login attempt was successful… IP address… accessing our decoy email account.”
Monitoring, Hunting, Response, and Reversing
Monitoring
Monitoring should prioritize telemetry from email gateways, identity providers, cloud email platforms, DNS, web proxy, and endpoint browsers to capture spearphishing exchanges, link clicks, redirect chains, authentication attempts, and anomalous session behavior. Logging should ensure full visibility into email headers, link rewrite events, URL click telemetry, authentication logs (including MFA challenges, failures, and new IP/device access), DNS resolution for newly registered or rarely seen domains, and proxy logs showing redirects through compromised websites; log levels may need to be increased for authentication events and URL click tracking to preserve sufficient detail. Key indicators include trusted-contact impersonation patterns, “missing attachment” conversational sequences, redirects to ProtonDrive-like resources, mismatched sender language changes, and successful logins from proxy or hosting infrastructure shortly after link clicks. Gaps exposed include limited visibility into browser-based credential harvesting, insufficient correlation between email interaction and identity events, and weak detection of redirector infrastructure hosted on legitimate but compromised sites. Correlation logic should link inbound email > user reply > URL click > redirect chain > authentication event within short time windows, with alert thresholds favoring low-volume, high-confidence detections rather than bulk counts. Dashboards should add metrics for conversational phishing patterns, MFA relay anomalies, and post-click authentication success from new geographies or ASNs, and validation should be performed using controlled phishing simulations and replay of known redirector domains to confirm end-to-end detection coverage.
Hunting
Threat hunting should test hypotheses that targeted users engaged in Ukraine-related work are being groomed through multi-email phishing conversations and that credential access follows shortly after redirect-based link clicks. Telemetry sources should include historical email thread data, URL click telemetry, DNS logs, identity provider authentication logs, and proxy records. Detection logic should focus on chaining weak signals—such as benign-looking initial emails with no attachment, follow-up messages containing external links, and near-term successful logins from unfamiliar infrastructure—rather than relying on single indicators. Noise-to-signal challenges are expected due to legitimate document-sharing and Proton services usage, so hunts should scope by role, recent external correspondence patterns, and anomalous timing relationships between email interaction and authentication activity to reduce false positives.
Response
Response activities should rely on email logs, identity authentication records, DNS and proxy logs, and cloud audit trails to reconstruct the phishing-to-authentication timeline. Expected artifacts include phishing emails, redirect URLs, DNS resolutions, authentication sessions, MFA challenge artifacts, and any subsequent mailbox access or rule changes. Anti-forensic behavior may include rapid credential reuse via proxies, short-lived infrastructure, and reliance on compromised third-party websites to obscure attribution. Reconstruction should focus on correlating the initial social-engineering exchange with subsequent identity misuse to determine scope and dwell time, with DFIR evidence feeding FAIR loss estimates by quantifying response effort, data exposure, and secondary impacts. Likely containment actions include credential revocation, MFA reset, session invalidation, mailbox review, and notification of affected partners, while priority artifacts include full email threads, authentication logs, and proxy/DNS records. IR gaps often include insufficient browser-level telemetry and incomplete historical email interaction data, and validation should include tabletop exercises and controlled phishing replays to ensure response workflows and evidence capture are adequate.
Reverse Engineering
Reverse engineering should focus on the phishing kit rather than a traditional malware loader, examining how injected JavaScript alters authentication flows, relays credentials and MFA, and communicates with attacker-controlled APIs. Analysis should assess evasion techniques such as mimicking legitimate ProtonMail assets, reusing filenames, and hosting on compromised infrastructure to blend with normal traffic, while persistence is not expected on endpoints but rather through continued credential access. Indicators include modified JavaScript bundles, redirector PHP scripts, attacker API endpoints, and domain registration patterns. Dynamic analysis should observe live authentication handling and MFA relay behavior, while static analysis should compare legitimate and malicious JavaScript assets to identify injected logic. Expected artifacts include altered web assets, network requests to attacker APIs, and authentication logs showing successful access via proxy services. Additional reverse engineering should compare these kits with historically documented Calisto phishing frameworks to identify reuse or evolution.
CTI
CTI efforts should evaluate PIRs by assessing whether the actor’s targeting aligns with the organization’s sector, geography, or partners involved in Ukraine-related activities, the recurrence of similar campaigns over time, consistent use of trusted-contact impersonation and redirector-based phishing, and repeated targeting of email identities as the primary asset. SIR gaps include incomplete IOC coverage for short-lived domains and IPs, a lack of server-side phishing kit artifacts, uncertainty around infrastructure relationships, and medium-confidence attribution that benefits from corroboration. Collection should emphasize continuous OSINT monitoring of trusted vendors and NGOs, internal telemetry enrichment, ISAC/ISAO collaboration, selective dark web and malware repository monitoring for phishing kits, and integration of network and identity data. Mapping should cluster infrastructure and campaigns, align observed TTPs to ATT&CK, compare activity against historical Calisto operations, assess confidence levels, and identify emerging variations in social-engineering or AiTM techniques to validate or refine existing hypotheses.
GRC and Testing
Governance
Update governance to treat targeted spearphishing with AiTM-style credential theft as a defined enterprise risk scenario for identity and email systems, and ensure policies explicitly require phishing-resistant MFA where feasible, verification of out-of-band “document resend” requests, and controls for external link handling and redirect exposure. Strengthen oversight by assigning clear accountability across security, IT, and business owners for email/identity risk, with routine review of third-party and partner communication risk given the campaign’s reliance on trusted-contact impersonation and follow-on partner targeting. Refresh RA, PM, and PL-family governance artifacts by documenting acceptable identity assurance levels, logging/monitoring expectations for authentication and email events, and response requirements for suspected credential harvesting and session hijack patterns. Add or adjust risk register entries to capture likelihood drivers (targeted outreach, conversational grooming, compromised-site redirectors) and impact drivers (loss of confidentiality, partner trust erosion), and define risk treatment options (MFA hardening, email security tuning, awareness updates, and incident playbooks). Board/executive communications should include concise updates on exposure of high-risk roles, control coverage for phishing-resistant authentication, trends in targeted phishing attempts, and quantified loss ranges and response readiness tied to this scenario.
Audit and Offensive Security Testing
Audit should validate that email, identity, and web controls actually detect and prevent the observed attack path by testing evidence sufficiency for threaded spearphishing, link-click telemetry, redirect chain visibility, and authentication event reconstruction (including MFA challenge and post-auth access). Findings should focus on gaps that increase susceptibility, such as incomplete email header retention, missing URL click telemetry, inadequate proxy/DNS logging to identify compromised redirectors, and limited identity anomaly detection for new IP/device access shortly after user link clicks. Policies and controls requiring validation include external communication verification procedures, identity assurance standards for privileged/high-risk users, and logging requirements for email and authentication systems, with compliance tie-ins centered on protecting sensitive communications and identities and ensuring incident evidence is preserved. Red team and purple team exercises should reproduce the “missing attachment” grooming pattern and follow-up redirect-to-lookalike-login flow to validate detection, escalation, and containment time objectives, while pen testing scope should include email security configuration review, identity provider, and MFA resilience testing against proxy-style flows, and web filtering effectiveness for compromised-site redirectors. Control validation should conclude with measurable outcomes (alert coverage, false positive rates, time-to-detect, time-to-contain) and documented remediation actions for any evidence or control failures.
Awareness Training
Refresh awareness training to emphasize the OSINT’s specific social engineering pattern: trusted-contact impersonation paired with conversational grooming (“missing/failed attachment” prompting a reply) and a later link that redirects to a lookalike login experience designed to capture credentials and relay MFA. Address common human failure modes by reinforcing that familiar signatures, plausible language, and document-sharing themes do not equal authenticity, and that redirect chains and unexpected language shifts in a thread are actionable warning signs. Tailor role-based adjustments by giving executives and high-trust communicators (comms, policy, legal, leadership) stricter verification steps, administrators guidance on phishing-resistant MFA and identity hygiene, and customer-facing or finance staff clear rules for handling external document links and account access prompts. Provide concrete behavioral indicators employees should recognize, including “please review this document” with no attachment, follow-up links to file services, requests to log in to view an “encrypted” document, and any prompt to re-authenticate after a redirect. Update phishing simulations to mirror the staged thread pattern and redirect-to-login experience, and add communication guidelines for high-risk interactions, such as verifying requests via a separate known channel and reporting suspicious threads promptly. Reinforcement should be continuous with short cycles, measured by reporting rates, click-through rates, time-to-report, and repeat-offender reduction for high-risk roles.
Indicators of Compromise
All IoCs from the original artifact, as follows:
Known redirector URLs:
hxxps://admin.artemood[.]com/vendor/plugx/*.php
hxxps://mittalcpa[.]com/wp-content/plugins/bungs/*.php
hxxps://esclerosemultiplario[.]com.br/wp-content/plugins/areada/*.php
hxxps://myoseguridad[.]net/prueba/phantomrise/*.php
hxxps://esourcesol[.]com/wp-content/plugins/leykos/*.php
hxxps://cranium[.]id/plugins/unite/*.php
Domains:
sopatrasoftware[.]net
setimgfont[.]com
ageyeboo[.]com
doggiewalkietalkie[.]company
napsubrow[.]com
collappendrow[.]net
acmathj[.]org
partizan-cryptobox[.]com
drivenginfra[.]com
proton-decrypt[.]com
astrocosmograv[.]com
bridgevisionassetmanagement[.]net
sysgentuore[.]com
enepascm[.]net
cloudmediaportal[.]com
addnamestamp[.]net
agentsbreakcursor[.]org
agilegapvalue[.]com
applicationformsubmit[.]me
argosurflooms[.]com
atheismatoninoosers[.]net
baayaygnu[.]com
biochemsys[.]org
bridgevisionassets[.]net
ceehogrho[.]org
checkshowlabel[.]org
classmechthermo[.]com
cowsetmom[.]com
documentsec[.]com
fohmaspub[.]org
forcelistcon[.]com
gemtarfad[.]com
gymaisbad[.]org
harmenganaleng[.]com
inkwaxmil[.]com
inmeoaf[.]com
jamyexraw[.]com
kwargsdirgrid[.]com
lamiderot[.]eu
layoutdatatype[.]org
leaseselfid[.]com
lekgodmop[.]com
levtawrig[.]eu
logmanzoo[.]com
maddeehot[.]online
mainboxtype[.]net
mapaji[.]com
menustatusbar[.]org
midemucoped[.]org
mobtuxawe[.]org
mofamole[.]com
ned-application-proposal[.]org
ned-granting-opportunitis[.]org
ned-granting-potential[.]com
netyintry[.]com
nextgenscloud[.]com
noonevinedreammer[.]org
objectwidgetfont[.]org
onlineviewdoc[.]com
ovaradiumnon[.]org
owntrywad[.]com
parkcaprigra[.]com
pietabyew[.]org
prostaffcover[.]org
psybehavconf[.]com
raxpoprig[.]org
reftospy[.]com
requestspatchcopy[.]net
returnselfdata[.]net
saghughap[.]com
sendhostargs[.]com
setproxytrue[.]net
simleasip[.]org
sizarebabrhino[.]org
slacksfulgurbairn[.]org
sobcozsee[.]com
soborsshe[.]com
socalstrategy[.]info
towegospa[.]com
trekpoofedbange[.]org
tryledsox[.]com
tucklocsqueal[.]org
weblangdata[.]com
yehmaways[.]com