Threat Actor Profile

Gossamer Bear Profile

Gossamer Bear, also known as Callisto, SEABORGIUM, TA446, and other aliases, is a sophisticated Advanced Persistent Threat (APT) group linked to Russia. Emerging in recent years, this group primarily conducts cyber-espionage operations, employing tactics such as credential harvesting, phishing, and leak campaigns. Affiliated with the Russian Federal Security Service (FSB), Gossamer Bear targets geopolitical entities, defense sectors, and NATO states.

Threat Actor Profile

Gossamer Bear Profile

Country of Origin

Gossamer Bear is strongly associated with Russia. Reports link its actions to the Russian Federal Security Service (FSB), particularly through a unit known as Center 18. Due to its methodology and targets, it is classified as a Russian state-sponsored actor.

Members

The precise size and structure of Gossamer Bear are not publicly documented. Assumptions point to a dedicated team of operators with access to significant resources and expertise in cyber operations. Their use of custom tools, such as the Spica backdoor, highlights their capabilities.

Leadership

The names or identities of Gossamer Bear’s leadership remain unknown. However, its activities suggest a well-coordinated and resourceful organizational structure, likely supported by Russian intelligence services.

Gossamer Bear TTPs

Tactics

Gossamer Bear’s primary goal is cyber-espionage. Its operations revolve around gathering sensitive information, compromising credentials, influencing geopolitical discourse, and leveraging data leaks in support of Russia’s strategic objectives.

Techniques

The group utilizes spear-phishing emails impersonating trusted entities to steal credentials. Social engineering and domain similarity tricks are hallmarks of their approach. They also upload compromised or stolen information to pro-Russia platforms to influence narratives.

Procedures

Their procedures include hacking and leaking operations, establishing command-and-control (C2) infrastructure through legitimate or compromised websites (e.g., WordPress), and deploying bespoke malware solutions like Spica. Recent campaigns featured impersonation on social media and targeting high-profile entities.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Recent attacks from 2023–2024 have been marked by intensive credential theft campaigns targeting NGOs, diplomats, and military figures in NATO states and Ukraine. The group has also been linked to disruptive leak campaigns that weaponize stolen data in support of pro-Russia narratives.

Law Enforcement & Arrests

While specific arrests tied to Gossamer Bear's operators have not been reported, several proactive measures have been taken. This includes domain seizures by U.S. authorities and Microsoft’s actions to disrupt command-and-control infrastructure linked to their campaigns.