Phishing attempt against Reporters Without Borders attributed to Russia-linked group

A Russia-aligned threat actor attempted to compromise the nonprofit Reporters Without Borders (RSF) in a recent phishing campaign, according to new research.

The hacking group — also known as Callisto, ColdRiver or Star Blizzard and previously linked by Western governments to Russia’s FSB security service — has been active since at least 2017 and is known for credential-harvesting operations against NGOs, government bodies and organizations supporting Ukraine.

According to cybersecurity firm Sekoia, one of RSF’s core members received a phishing email in March from a ProtonMail account impersonating a trusted contact. The message — written in French and using the correct email signature — asked the recipient to review a document but did not include an attachment, a tactic Callisto has used before to prompt targets to request a follow-up file.

When the RSF member asked for the missing document, the attacker replied in English with a link hosted on a compromised website. The link was designed to redirect the victim to a malicious PDF, but the file could not be retrieved after ProtonMail blocked the operator’s account, Sekoia said.

RSF, which provides support to reporters under threat and has helped Russian journalists flee the country, was labeled an “undesirable organization” by the Kremlin in August 2025 — a designation that effectively criminalizes its activity in Russia.

The organization has not publicly commented on the attempted intrusion or the hackers’ suspected motives.

Sekoia said another organization, which the researchers did not name, was targeted with a similar lure. In that case, the victim received a decoy PDF claiming the file was encrypted and instructing the user to open it via ProtonDrive. Clicking the link redirected the target to a phishing kit designed to harvest ProtonMail credentials.

The kit presented victims with a spoofed ProtonMail login page where the email address was pre-filled. Injected JavaScript forced the cursor to remain in the password field — a trick meant to increase the likelihood the target would enter their credentials.

Callisto is known for espionage campaigns against Western governments, defense contractors, research institutions and NGOs, with a particular focus on Eastern Europe and countries supporting Ukraine. Previous targets include NATO-linked organizations, a Ukrainian defense company and individuals with expertise on Russia.

Last September, for example, the U.S.-based Free Russia Foundation said it was investigating a breach after thousands of internal emails and documents — including grant reports and correspondence — were leaked online. The organization believes the intrusion was linked to Callisto, saying attackers compromised “a number of entities” to steal the data.