{ "type": "Domain", "indicator": "layoutdatatype.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/layoutdatatype.org", "alexa": "http://www.alexa.com/siteinfo/layoutdatatype.org", "indicator": "layoutdatatype.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4023633140, "indicator": "layoutdatatype.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Calisto" ], "industries": [ "Military", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "layoutdatatype.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "layoutdatatype.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780473822.409076 }