Threat Actor TAG-53
Introduction TAG-53 is a Russian threat actor, that runs phishing campaigns posing as various defense, aerospace, and logistic companies. The infrastructure used by this threat actor also overlaps with tactics, techniques, and procedures of Callisto Group, COLDRIVER, and SEABORGIUM. It repeatedly used many traits, like the specific domain registrars, the Let's Encrypt TLS certificates, a small cluster of autonomous systems, and a specific stylistic structure. Characteristics TAG-53 originated from Russia and has objectives and victimology aligning with the interests of Russia. It mainly targeted NATO countries like the USA and UK along with Ukraine after Russia's invasion in 2022. It has conducted phishing campaigns via Gmail accounts and attacked many non-governmental organizations, think tanks, journalists, as well as government and defense officials. Now, after evolving with time, is has also started incorporating PDF or DOC file links hosted on Google Drive and Microsoft