A Russia-linked advanced persistent threat (APT) tracked as COLDRIVER has been tied to a fresh wave of targeted ClickFix-style attacks that deliver two new lightweight malware families—BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell backdoor). The campaign, detected by Zscaler ThreatLabz earlier this month, underscores how established attacker groups continue to refine social-engineering vectors while adding modular, evasive tooling to their arsenals.

ClickFix remains an effective infection vector

ClickFix attacks rely on convincing victims to perform innocuous-seeming actions in their browser—often masquerading as a CAPTCHA or verification step—that actually instruct the user’s machine to run commands (for example, via the Windows Run dialog). Despite being a low-complexity technique, ClickFix continues to yield results, and COLDRIVER has leaned into it again to push BAITSWITCH and SIMPLEFIX.

In the observed chain, victims are lured to a fake CAPTCHA page and tricked into launching a DLL via the Run dialog. That DLL (BAITSWITCH) reaches out to an attacker-controlled host to fetch an encrypted payload and a PowerShell stager, then writes encrypted blobs to the Registry and issues further network calls to establish persistence and clean up traces of the initial Run command. The PowerShell stager then downloads SIMPLEFIX, which connects to a command-and-control server to fetch and execute PowerShell scripts, commands and binaries hosted on remote URLs.

One of the SIMPLEFIX scripts enumerates files of interest across a preconfigured set of directories and exfiltrates them—behavior that overlaps with tooling previously attributed to COLDRIVER, such as the LOSTKEYS family.

Tooling and victimology

COLDRIVER (also observed under aliases like Callisto, Star Blizzard, and UNC4057) has been active since at least 2019 and is known for targeting a broad set of sectors—government, defense, aerospace, think tanks, NGOs and members of civil society, including exiles and activists connected to Russia. The latest campaign demonstrates the group’s continued use of both commodity offensive tools (Cobalt Strike, SparkRAT) and custom frameworks (Pantegana, SPICA, LOSTKEYS), combining social engineering with modular malware to limit detection and enable flexible follow-on operations.

Zscaler researchers highlight that COLDRIVER’s focus in this campaign aligns with its historic victimology: NGOs, human-rights defenders, think tanks and other civil-society actors with ties to Russia.

Related activity hitting Russia: BO Team and Bearlyfy

The wider threat landscape remains active and complex. In September, security vendors observed additional campaigns targeting Russian organizations:

• BO Team (aka Black Owl / Hoody Hyena / Lifting Zmiy) has been distributing password-protected RAR archives that drop a reworked BrockenDoor backdoor (now rewritten in C#) alongside updated ZeronetKit variants. ZeronetKit, a Go-based backdoor, enables remote access, file transfer, command execution and TCP tunneling; BrockenDoor is used to achieve persistence by copying the backdoor to startup paths.
• A newer actor dubbed Bearlyfy has deployed ransomware families including LockBit 3.0 and Babuk against Russian targets. Initially focusing on smaller ransoms against small companies, Bearlyfy has escalated to larger victims and ransom demands. Analysts note infrastructure overlaps between Bearlyfy and a pro-Ukrainian group called PhantomCore, though Bearlyfy appears to operate independently and favors fast, impact-driven operations—exploiting exposed services and vulnerable applications to gain initial access and then rapidly encrypt or destroy data.

Tactical takeaways

• Social-engineering primitives still win: Techniques like ClickFix are unsophisticated but effective. Attackers exploit user trust and browser behavior to bypass perimeter controls.
• Modularity increases survivability: Using small downloaders and staged PowerShell payloads minimizes disk footprint and leverages legitimate platform components, complicating detection and forensic analysis.
• Target profile matters: Civil-society actors, NGOs and exiles remain high-value targets for state-linked groups. Defense-in-depth must account for spear-phishing and browser-based vectors, not just network and endpoint protections.
• Patch and monitor edge services: Many campaigns begin with reconnaissance and exploitation of exposed services—prioritize hardening, patching and monitoring of externally facing applications and VPN/edge devices.
• Harden email and web channels: Preventing initial lure delivery (malicious links, booby-trapped attachments) and educating users about Run-dialog and clipboard-based attacks are critical mitigations.

Recommendations for defenders

• Deploy browser isolation and restrict the ability for untrusted web content to call local OS interfaces (e.g., programmatic launches of Run or PowerShell).
• Monitor for suspicious Registry writes and unusual PowerShell download/execution patterns—especially staged chains that store encrypted data in nonstandard locations.
• Apply least-privilege and segmentation to limit lateral movement from initial beachheads.
• Harden email gateways and block or sandbox uncommon attachment types (e.g., password-protected archives, obfuscated HTML/SVG content).
• Conduct targeted phishing simulations and training focused on the specific social-engineering techniques used in ClickFix-style lures.

COLDRIVER’s return to ClickFix delivery—paired with lightweight, staged malware—reminds defenders that attackers will combine simple user-facing tricks with modular backdoors to achieve persistence and data theft. Maintaining layered defenses across email, endpoint, browser and network controls, and prioritizing the protection of high-risk user groups, remains the best strategy to reduce exposure to these evolving campaigns.

Source: https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.html