French NGO Reporters Without Borders targeted by Calisto in recent campaign

Executive summary: This Sekoia TDR report documents active Calisto (ColdRiver) spear-phishing campaigns in 2025 targeting NGOs (including Reporters Without Borders), think tanks and Ukraine-supporting entities. The actor uses ProtonMail impersonation, ‘missing attachment’ or encrypted-PDF decoys redirected via compromised websites to an adversary-in-the-middle ProtonMail phishing kit that can capture credentials and 2FA; the report includes phishing-kit analysis, infrastructure details and a long list of redirector URLs and domains observed as IOCs.