The Russian superior persistent menace (APT) group referred to as COLDRIVER has been attributed to a contemporary spherical of ClickFix-style assaults designed to ship two new “light-weight” malware households tracked as BAITSWITCH and SIMPLEFIX.
Zscaler ThreatLabz, which detected the brand new multi-stage ClickFix marketing campaign earlier this month, described BAITSWITCH as a downloader that in the end drops SIMPLEFIX, a PowerShell backdoor.
COLDRIVER, additionally tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked menace actor that is identified to focus on a variety of sectors since 2019. Whereas early marketing campaign waves had been noticed utilizing spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with customized instruments like SPICA and LOSTKEYS, which underscores its technical sophistication.
The adversary’s use of ClickFix ways was beforehand documented by the Google Menace Intelligence Group (GTIG) again in Could 2025, utilizing pretend websites serving pretend CAPTCHA verification prompts to trick the sufferer into executing a PowerShell command that is designed to ship the LOSTKEYS Visible Fundamental Script.
“The continued use of ClickFix means that it’s an efficient an infection vector, even whether it is neither novel nor technically superior,” Zscaler safety researchers Sudeep Singh and Yin Hong Chang stated in a report printed this week.
The most recent assault chain follows the identical modus operandi, tricking unsuspecting customers into working a malicious DLL within the Home windows Run dialog beneath the guise of finishing a CAPTCHA test. The DLL, BAITSWITCH, reaches out to an attacker-controlled area (“captchanom[.]high”) to fetch the SIMPLEFIX backdoor, whereas a decoy doc hosted on Google Drive is offered to the victims.
It additionally makes a number of HTTP requests to the identical server to ship system info, obtain instructions to determine persistence, retailer encrypted payloads within the Home windows Registry, obtain a PowerShell stager, clear the newest command executed within the Run dialog, successfully erasing traces of the ClickFix assault that triggered the an infection.
The downloaded PowerShell stager subsequently reaches out to an exterior server (“southprovesolutions[.]com”) to obtain SIMPLEFIX, which, in flip, establishes communication with a command-and-control (C2) server to run PowerShell scripts, instructions, and binaries hosted on distant URLs.
One of many PowerShell scripts executed through SIMPLEFIX exfiltrates details about a hard-coded listing of file varieties present in a pre-configured listing of directories. The listing of directories and file extensions scanned shares overlaps with that of LOSTKEYS.
“The COLDRIVER APT group is thought for focusing on members of NGOs, human proper defenders, assume tanks in Western areas, in addition to people exiled from and residing in Russia,” Zscaler stated. “The main target of this marketing campaign intently aligns with their victimology, which targets members of civil society related to Russia.”
BO Crew and Bearlyfy Goal Russia
The event comes as Kaspersky stated it noticed a brand new phishing marketing campaign focusing on Russian firms in early September undertaken by the BO Crew group (aka Black Owl, Hoody Hyena, and Lifting Zmiy) utilizing password-protected RAR archives to ship a brand new model of BrockenDoor rewritten in C# and an up to date model of ZeronetKit.
A Golang backdoor, ZeronetKit, comes fitted with capabilities to assist distant entry to compromised hosts, add/obtain recordsdata, execute instructions utilizing cmd.exe, and create a TCP/IPv4 tunnel. Choose newer variations additionally incorporate assist for downloading and working shellcode, in addition to replace the communication interval with C2 and modify the C2 server listing.
“ZeronetKit is unable to independently persist on an contaminated system, so attackers use BrockenDoor to repeat the downloaded backdoor to startup,” the Russian cybersecurity vendor stated.
It additionally follows the emergence of a brand new group known as Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk in assaults focusing on Russia, initially attacking smaller firms for smaller ransoms earlier than graduating to larger companies within the nation beginning April 2025, based on F6. As of August 2025, the group is estimated to have claimed not less than 30 victims.
In a single incident focusing on a consulting firm, the menace actors have been noticed weaponizing a susceptible model of Bitrix for preliminary entry, adopted by utilizing the Zerologon flaw to escalate privileges. In one other case noticed in July, the preliminary entry is alleged to have been facilitated by means of an unnamed accomplice firm.
“In the newest recorded assault, the attackers demanded €80,000 in cryptocurrency, whereas within the first assault, the ransom was a number of thousand {dollars},” F6 researchers stated. “As a result of comparatively low ransom quantities, on common, each fifth sufferer buys decryptors from the attackers.”
Bearlyfy is assessed to be lively since January 2025, with a deeper evaluation of its instruments uncovering infrastructure overlaps with a probable pro-Ukrainian menace group known as PhantomCore, which has a observe report of focusing on Russian and Belarusian firms since 2022. Regardless of these similarities, Bearlyfy is believed to be an autonomous entity.
“PhantomCore implements advanced, multi-stage assaults typical of APT campaigns,” the corporate stated. “Bearlyfy, alternatively, makes use of a distinct mannequin: assaults with minimal preparation and a focused deal with reaching an instantaneous impact. Preliminary entry is achieved by means of exploitation of exterior providers and susceptible functions. The first toolkit is geared toward encryption, destruction, or modification of information.”
