Callisto APT: Russia’s Persistent Espionage Operator

**Executive summary:** This report profiles the Russia-linked Callisto APT, an espionage-focused threat actor active since at least 2015 that targets governments, defense institutions, think tanks, NGOs, and academia—particularly NATO- and EU-aligned organizations. It documents Callisto's evolution toward cloud-focused operations (OAuth consent phishing, token theft), persistent credential harvesting, rapid infrastructure rotation, use of web shells and lightweight backdoors, and targeted exfiltration of high-value diplomatic and policy information, and provides mitigations such as phishing-resistant MFA, OAuth monitoring, web shell hunting, and least-privilege controls.