BlueCharlie Hacker Group Builds a 94-Domain Password Stealing Platform

Threat actors are evolving their techniques and tools at a rapid pace that is completely changing the current threat scenario.

BlueCharlie is a Russia-linked threat group that has been active since 2017 and associated with several other names like:-

EHA
  • Callisto
  • ColdRiver 
  • Star Blizzard
  • TA446

While this threat group, BlueCharlie (aka TAG-53), mainly focuses on espionage and leak operations.

Recently, researchers at Recorded Future linked 94 new domains from March 2023 to BlueCharlie, indicating infrastructure modifications in response to public disclosures.

BlueCharlie’s evolved TTPs and advanced infrastructure showcase adaptability to disclosures, enhancing operational security.

At the moment, their current targets are unknown, but their past targets are the following:-

  • Government
  • Defense
  • Education
  • Political sectors
  • NGOs
  • Journalists
  • Think tanks
Breakdown of terms used in BlueCharlie activity (Source – Recorded Future)

BlueCharlie Hacker Group New Infrastructure

Insikt Group notes BlueCharlie’s 94 new domains and changed TTPs, signifying evolution in response to industry disclosures, likely for phishing or credential harvesting.

Moreover, the Insikt Group has tracked BlueCharlie since Sep 2022, and since then, they have been witnessing multiple drastic TTP shifts.

Apart from this, major Shifts like these indicate the threat actors’ industry awareness and sophisticated obfuscation to prevent cybersecurity experts.

BlueCharlie adopts a new domain naming pattern with IT and crypto-related keywords like:-

  • cloudrootstorage[.]com
  • directexpressgateway[.]com
  • storagecryptogate[.]com
  • pdfsecxcloudroute[.]com

Out of 94 new domains, 78 were registered via NameCheap, and others are registered through the following registrar:-

  • Porkbun
  • Regway

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers:-

  • The network defenders should improve their phishing defenses.
  • Make sure to implement FIDO2-compliant multi-factor authentication.
  • Use threat intelligence and report.
  • Make sure to educate third-party vendors.
  • In Microsoft Office, make sure to disable macros by default.
  • Ensure to implement a frequent password reset policy.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.