The Russian advanced persistent threat (APT) group known as COLDRIVER has initiated a new series of cyberattacks employing ClickFix-style tactics to deploy two novel malware strains: BAITSWITCH and SIMPLEFIX. These developments highlight the group’s evolving strategies and continued focus on entities connected to Russia.
COLDRIVER’s Evolving Tactics
Active since 2019, COLDRIVER—also referred to as Callisto, Star Blizzard, and UNC4057—has a history of targeting a diverse range of sectors. Initially, the group utilized spear-phishing campaigns to direct victims to credential harvesting sites. Over time, they have expanded their toolkit to include custom malware such as SPICA and LOSTKEYS, demonstrating increased technical sophistication.
In May 2025, Google’s Threat Intelligence Group (GTIG) documented COLDRIVER’s use of ClickFix tactics. This method involves creating fake websites with counterfeit CAPTCHA verification prompts to deceive users into executing malicious PowerShell commands, leading to the deployment of the LOSTKEYS Visual Basic Script.
The Latest Attack Chain
The most recent campaign, identified by Zscaler ThreatLabz, follows a similar pattern. Unsuspecting users are tricked into running a malicious DLL file via the Windows Run dialog under the pretense of completing a CAPTCHA check. This DLL, named BAITSWITCH, connects to an attacker-controlled domain (captchanom[.]top) to download the SIMPLEFIX backdoor. Simultaneously, victims are presented with a decoy document hosted on Google Drive to maintain the illusion of legitimacy.
BAITSWITCH performs several actions to establish a foothold in the compromised system:
– It sends system information to the attacker’s server.
– Receives commands to establish persistence.
– Stores encrypted payloads in the Windows Registry.
– Downloads a PowerShell stager.
– Clears the most recent command executed in the Run dialog to erase traces of the attack.
The PowerShell stager then contacts an external server (southprovesolutions[.]com) to download SIMPLEFIX. This backdoor establishes communication with a command-and-control (C2) server, enabling the execution of PowerShell scripts, commands, and binaries hosted on remote URLs.
One of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about specific file types found in predefined directories. The targeted directories and file extensions overlap with those associated with the LOSTKEYS malware, indicating a consistent focus on particular data types.
Targeted Entities
COLDRIVER is known for targeting members of non-governmental organizations (NGOs), human rights defenders, and think tanks in Western regions, as well as individuals exiled from and residing in Russia. The focus of this campaign aligns closely with their typical victimology, emphasizing entities connected to Russia.
BO Team and Bearlyfy’s Concurrent Activities
In a related development, Kaspersky observed a new phishing campaign targeting Russian companies in early September. This campaign was conducted by the BO Team group, also known as Black Owl, Hoody Hyena, and Lifting Zmiy. The attackers used password-protected RAR archives to deliver a new version of BrockenDoor, rewritten in C#, and an updated version of ZeronetKit.
ZeronetKit, a Golang backdoor, is equipped with capabilities to support remote access to compromised hosts, upload and download files, execute commands using cmd.exe, and create a TCP/IPv4 tunnel. Newer versions also support downloading and running shellcode, as well as updating the communication interval with the C2 server.
Implications and Recommendations
The continued use of ClickFix tactics by COLDRIVER suggests that this method remains an effective infection vector, despite its lack of novelty or technical complexity. The group’s ability to adapt and develop new malware strains like BAITSWITCH and SIMPLEFIX underscores the persistent threat they pose.
Organizations, especially those connected to Russia or involved in human rights and policy advocacy, should remain vigilant. Implementing robust cybersecurity measures, including regular system updates, employee training on phishing tactics, and the use of advanced threat detection systems, is crucial to mitigating the risks posed by such sophisticated threat actors.
