Cold River

Last Updated Apr 28, 2026

Also known as: Nahr Elbard, Nahr el bared, Cold River, Callisto, TA446, SEABORGIUM, Calisto, TAG-53, COLDRIVER

In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.

🌍 Country Russia

📝 Last Updated Apr 28, 2026

Introduction

Activities and Tactics

Country of Origin: 🇷🇺 Russia

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

Russian APT Tool Matrix observations

Category	Observed tools
OffSec	EvilGinx

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

References pending cataloguing.

Source Attribution

Structured source: APT Groups & Operations Spreadsheet

Data sourced from MISP Galaxy threat-actor cluster (CC0 licensed)

Additional source provenance

APT Groups & Operations Dataset
misp galaxy Dataset
BushidoUK Russian APT Tool Matrix Tool observations were reviewed from the BushidoUK Russian APT Tool Matrix (https://github.com/BushidoUK/Russian-APT-Tool-Matrix). The matrix is used here as a secondary Russian APT tradecraft reference, not as sole attribution evidence. Repository Dataset

Source and license policy

🔍 Quick Filters

Top Countries

Risk Distribution

High

161

Critical

Low

Medium