Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

COLDWASTREL: A New and Evolving Threat to Civil Society in Eastern Europe

August 18, 2024
A look into a new threat actor that has surfaced, what they do, and who they target.
by Kade Morton (CEO)
Introduction

COLDWASTREL

In the ever-evolving landscape of cyber threats, a new actor has surfaced, targeting civil society organisations in Eastern Europe and international NGOs working within the region.

This actor, dubbed COLDWASTREL by researchers at Access Now and Citizen Lab, has been active between October 2022 and August 2024, orchestrating highly targeted spear-phishing campaigns.

The Emergence of COLDWASTREL

The first signs of COLDWASTREL’s activities were detected in March 2023, when Access Now’s Helpline received reports from a prominent Russian civil society organisation. The attacks were marked by their use of Proton Mail email addresses to impersonate individuals familiar to the victims, with the aim of deceiving them into revealing sensitive information. The attackers employed a method of slightly modifying one character in the email addresses to create a credible yet deceptive impersonation. For example, they would replace “s” with “c” before “k,” which not only mimics the phonetics but also bears a strong resemblance visually, making the fake address difficult to detect.

The Tactics and Techniques of COLDWASTREL

COLDWASTREL’s campaigns have been characterised by their attention to detail. The phishing emails often contained PDF attachments that appeared to be locked, with a link provided to “unlock” them. However, following the link led victims to fake login pages designed to harvest their credentials, including passwords and two-factor authentication codes. This tactic was designed to mimic everyday scenarios faced by the targeted organisations, particularly those involved in defending human rights, making the attacks more plausible.

The threat actor demonstrated familiarity with the regional context and the work of the targeted organisations. They crafted emails that referenced activities highly relevant to the victims, such as funding and grant proposals, further enhancing the credibility of the phishing attempts. The metadata from the malicious PDFs suggested the use of Russian language settings and time zones, though this alone is not definitive proof of the attackers’ origins.

Infrastructure and Campaign Evolution

Throughout 2023, COLDWASTREL refined their tactics. They began using fake domains and mail servers to impersonate real organisations, including the victims’ actual partners and acquaintances. The attackers continued to employ their one-character change method, which made the attacks harder to detect and more convincing. The domain used in these attacks, protondrive[.]online, differed significantly from those seen in previous campaigns by another known actor, COLDRIVER, suggesting a distinct and separate threat actor.

COLDRIVER has a number of aliases, including Callisto, Calisto, Callisto Group, Blue Callisto, Reuse Team, SEABORGIUM, now tracked as Star Blizzard, Dancing Salome, and has at least partial overlap with TAG-53. Confusingly, Secureworks state that COBALT EDGEWATER, an Iranian group, has an alias of Cold River, but COLDRIVER and its various aliases, when traced back, are attributed to Center 18 of the Federal Security Service of the Russian Federation, the FSB.

Access Now and Citizen Lab have been monitoring COLDWASTREL’s activities and have identified additional infrastructure used in the campaigns. Notably, all pre-2024 COLDWASTREL PDFs contained links to the same domain, further distinguishing their operations from those of COLDRIVER.

Potential Attribution and Future Implications

While the evidence points to a possible alignment with Russian interests, COLDWASTREL’s true affiliations remain unclear. The attacks have predominantly targeted organisations involved in human rights work across Russia, Ukraine, and the broader Eastern European region — areas of significant interest to the Kremlin. However, without definitive proof, the attribution of these attacks remains cautious.

As the cyber threat landscape continues to evolve, the emergence of actors like COLDWASTREL highlights the persistent and adaptive nature of threats facing civil society organisations. At Arachne Digital, we will continue to monitor developments in this space and provide updates as further information comes to light.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.

Empower. 
Defend. 
Prevail.

Links
Social
Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.
© 2026 Arachne Digital, ALL RIGHTS RESERVED
Built by