Calisto (aka ColdRiver/Star Blizzard), an intrusion set attributed to Russia’s FSB, resumed spear-phishing campaigns in May–June 2025 targeting NGOs, researchers, and institutions supporting Ukraine using impersonation, compromised redirectors and an AiTM phishing kit that can relay 2FA. The group used ProtonMail-themed decoys, PHP redirectors on compromised sites, and a homemade JavaScript-based kit hosted on domains such as simleasip[.]org to capture credentials. #Calisto #ReportersWithoutBorders