The Russian Advanced Persistent Threat (APT) group known as Coldriver is attributed to a Clickfix-style fresh attack designed to provide two new “lightweight” malware families tracked as Baitswitch and Simplefix.
Zscaler Threatlabz, which detected a new multi-stage click fix campaign earlier this month, described Baitswitch as a downloader that ultimately drops SimpleFix, a PowerShell backdoor.
Tracked also as Callisto, Star Blizzard and UNC4057, Coldriver is a moniker assigned to Russia-related threat actors known to target a wide range of sectors since 2019.
The use of enemy Clickfix tactics will use fake sites previously documented by Google Threat Intelligence Group (GTIG) in May 2025 and use fake sites that provide fake Captcha verification prompts to trick victims and run PowerShell commands designed to provide LostKeys Visual Basic Script.
“The ongoing use of Clickfix suggests that it is an effective infection vector, even if it is not innovative or technologically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report released this week.
The latest attack chain follows the same trick and forces unsuspecting users to run malicious DLLs in the Windows Run dialog, pose as if they complete a Captcha check. Baitswitch in the DLL reaches into the attacker control domain (“Captchanom(.)Top”) to get a SimpleFix backdoor, and a decoy document hosted on Google Drive is presented to the victim.
It also makes several HTTP requests to the same server to send system information, receives commands that establish persistence, stores the encrypted payload in the Windows registry, downloads PowerShell Stager, clears the latest commands executed in the Run dialog, and effectively erases traces of ClickFix attacks that caused the infection.
The downloaded PowerShell Stager will then contact the external server (“SouthProveSolutions(.)com”) to download SimpleFix. This establishes communication with the Command and Control (C2) server to run binaries hosted by PowerShell scripts, commands, and remote URLs.
One of the PowerShell scripts executed in SimpleFix Exftrate is run through information about a hard-coded list of file types in a list of pre-configured directories. The directory listing and file extension list overlap with the LostKeys stock.
“The Coldriver APT Group is known for targeting NGO members, human red defenders, think tanks in the western region, and individuals who have been exiled and resident in Russia,” Zscaler said. “The focus of this campaign is closely aligned with the victims targeting members of civil society associated with Russia.”
The BO team and the target Russia
The development is developing as Kaspersky said in early September that a new phishing campaign targeting Russian companies, conducted by the BO Team Group (aka Black Owl, Hoody Hyena, Lifting Zmiy) used a password-protected RAR archive to provide a new version of Brockendoor Rewrith and an updated version of Zeronetkit.
Golang Backdoor’s Zeronetkit supports remote access to compromised hosts, features to upload/download files, run commands using CMD.exe and create TCP/IPv4 tunnels. The new version you select also includes support for downloading and running shellcode, updating the communication interval with C2 and modifying the C2 server list.
“Because Zeronetkit cannot be independently sustained on infected systems, attackers will use Brockendoor to copy downloaded backdoors to startups,” said a Russian cybersecurity vendor.
It also follows the emergence of a new group called Bearlyfy, which used ransomware stocks such as Lockbit 3.0 and Babuk in attacks targeting Russia in Russia-targeted attacks. As of August 2025, the group is estimated to have claimed at least 30 victims.
One incident targeting consulting firms has been observed to weaponize vulnerable versions of Bitrix for initial access, then escalating privileges using Zerorologon’s flaws. Another case observed in July is said to have been promoted through an unknown partner.
“In the latest recorded attacks, the attackers demanded 80,000 euros in cryptocurrency, but in the first attack the ransom was thousands of dollars,” F6 researchers said. “On average, all fifth victims buy decryptors from the attacker because of their relative low ransom.”
Bearlyfy has been rated active since January 2025, and a deeper analysis of its tool has overlapping with a potentially ukrain threat group called Phantomcore, where infrastructure is likely to overlap.
“Phantomcore implements the complex multi-stage attacks typical of APT campaigns,” the company said. “On the other hand, Bearlyfy uses a different model. It uses attacks with a targeted focus on achieving minimal preparation and immediate effect. Initial access is achieved through the use of external services and vulnerable applications. The main toolkits are intended to be encryption, destruction, or data correction.”
