Calisto Spear-Phishing Activity Targeting NGOs and Ukraine-Aligned Entities
Calisto, a Russia-nexus intrusion set linked to the FSB’s Center 18, conducted renewed spear-phishing operations against multiple organizations, including a confirmed attempt against Reporters Without Borders. The activity reflects Calisto’s established mission set: credential theft and targeted collection against NGOs, government entities, and individuals aligned with Ukraine or critical of Russian state interests. The operators continued their hallmark impersonation tradecraft, using ProtonMail accounts styled as trusted contacts and delivering staged email sequences that prompt victims to request a “missing” or “resend” document. Follow-on messages delivered links to redirectors hosted on compromised websites, ultimately routing victims to a phishing kit impersonating Proton’s authentication flow. Further analysis revealed a custom phishing kit capable of Adversary-in-the-Middle interception, modified JavaScript injection, and real-time credential relay, enabling the operators to capture login details and potentially bypass multi-factor authentication. Calisto leveraged a distributed infrastructure of redirectors and API endpoints, with domain registration patterns and server behavior consistent with historical campaigns dating back to 2022. The group’s operational cadence demonstrates a continued investment in bespoke phishing tooling rather than adopting commodity frameworks, reinforcing their focus on stealth, credibility, and selective targeting. NGOs, researchers, and government partners supporting Ukraine remain high-priority targets and should anticipate sustained Calisto activity throughout 2025. Enforce strong phishing-resistant MFA, block newly registered and suspicious domains, monitor for redirector-style traffic patterns, and alert on Proton-themed authentication pages reached via atypical referral paths.
ClayRat Android Spyware Expands Capabilities Through Accessibility Abuse and Device-Level Control
Researchers have identified a new ClayRat Android spyware variant that significantly expands the capabilities first observed in earlier versions of the malware. While previous strains relied primarily on SMS permissions for data theft, this updated version integrates full Accessibility Service abuse to achieve device takeover, including keylogging, lock-screen credential capture, automated unlocks, and programmatic UI manipulation. ClayRat can now record the screen using MediaProjection, deploy persistent overlays that simulate system updates, and interfere with user attempts to power down or uninstall the application. The malware also introduces advanced notification manipulation, enabling both fake credential-harvesting prompts and collection of sensitive replies from legitimate apps. Distribution remains broad and flexible, leveraging phishing pages and third-party hosting platforms, with more than seven hundred distinct APKs observed in rapid succession. Once installed, ClayRat establishes a persistent control channel capable of issuing a wide range of commands that mirror the behavior of remote-access tools, including camera activation, call initiation, SMS harvesting, mass messaging, screen streaming, and real-time UI event interception. The spyware’s lock-screen harvesting routine allows operators to reconstruct PIN, pattern, or password inputs, enabling device unlocks without user awareness and supporting long-term device monitoring. Organizations must enforce mobile threat defense on all managed and BYOD devices, block sideloaded applications, monitor for abnormal Accessibility usage, and implement per-app protections against overlays, screen capture, and notification abuse to disrupt ClayRat’s full-device control model for mitigation.
Update: CastleRAT Expands Surveillance, Privilege Abuse, and Modular C2 Capabilities
CastleRAT is a dual-build Remote Access Trojan with both Python and C variants that support broad surveillance, data collection, and remote command execution for intrusion operators. The C variant is significantly more capable, using RC4-encrypted C2 traffic, clipboard theft, keylogging via SetWindowsHookEx, browser session hijacking, media device enumeration, and full-screen capture to exfiltrate sensitive information. The malware establishes persistence through scheduled tasks, loads additional modules via rundll32, and retrieves configuration or C2 direction from dead-drop resolvers hosted on public platforms. Its architecture enables attackers to harvest credentials, monitor user activity, and deploy follow-on payloads such as DLL plugins, making it a flexible foothold for espionage, financial theft, or long-term post-compromise operations. Beyond its collection capabilities, CastleRAT incorporates several stealth and privilege-abuse methods that complicate detection and containment. The RAT executes remote shell sessions through anonymous pipes, bypasses UAC by leveraging privileged Windows services and handles duplication events, and mimics legitimate Python or Java components to obscure its internal state. Its ability to mute and relaunch browsers, intercept clipboard contents, and dynamically load modules indicates ongoing development toward deeper user impersonation and interactive post-exploitation. These behaviors, combined with encrypted traffic and modular functionality, reflect a maturing toolset aligned with threat actors seeking persistent, covert control over Windows environments. Mitigation should prioritize endpoint monitoring for anomalous browser flags, rundll32 ordinal execution, RC4-like traffic patterns, privileged handle duplication, unexpected scheduled tasks, and processes spawning under ComputerDefaults.exe.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
