Russia-Linked COLDRIVER Group Expands Toolset, Using New Malware in ClickFix Espionage Campaign

Zscaler ThreatLabz has uncovered a new multi-stage ClickFix campaign attributed with moderate confidence to the Russia-linked advanced persistent threat (APT) group COLDRIVER. Also tracked as Star Blizzard, Callisto, and UNC4057, COLDRIVER is known for credential phishing operations against NGOs, think tanks, journalists, and human rights defenders. In this latest activity, the group expanded its toolkit with two new malware families: a downloader dubbed BAITSWITCH and a PowerShell-based backdoor named SIMPLEFIX.

The campaign begins with a ClickFix webpage masquerading as a resource for Russian civil society. According to ThreatLabz, “This webpage employs the ClickFix social-engineering attack method to trick users into executing a malicious command in the Windows Run dialog box by displaying a fake Cloudflare Turnstile checkbox.”

When clicked, JavaScript code copies a malicious command to the victim’s clipboard. Victims are then prompted to paste it into the Windows Run dialog, triggering execution of machinerie.dll (BAITSWITCH) via rundll32.exe. To maintain credibility, the site later redirects victims to a decoy Google Drive document crafted to appear legitimate.

BAITSWITCH acts as a downloader and persistence enabler. “BAITSWITCH (Machinerie.dll) is a downloader that establishes persistence and retrieves stager payloads to execute the SIMPLEFIX backdoor.” It communicates with a command-and-control (C2) server at captchanom[.]top, which only responds when requests use a hardcoded browser-like user-agent string.

Commands retrieved via BAITSWITCH include:

• Registry edits for persistence.
• Storage of encrypted payloads in the Windows Registry.
• Download of a PowerShell stager from southprovesolutions[.]com.
• Clearing of RunMRU registry keys to erase traces of execution.

Once BAITSWITCH completes its work, the SIMPLEFIX backdoor is deployed. ThreatLabz describes it as “a PowerShell-based backdoor” that executes commands from its C2 every three minutes.

SIMPLEFIX supports several capabilities:

• Download and execute binaries from attacker infrastructure.
• Execute reconnaissance commands like whoami, ipconfig, and systeminfo.
• Exfiltrate documents with extensions .pdf, .doc, .xls, .txt, .zip, .rar, and .7z from directories like Documents, Desktop, Downloads, and OneDrive.

ThreatLabz notes that this closely resembles tactics used in COLDRIVER’s earlier LOSTKEYS VBScript malware, suggesting code reuse and consistent targeting priorities.

This campaign demonstrates COLDRIVER’s sustained focus on espionage. As Zscaler reports, “COLDRIVER remains active in targeting members of civil society, both in the Western regions and Russia.”

The victimology includes human rights defenders, journalists, educators, and civic activists, aligning with Moscow’s long-running objectives to monitor and undermine dissident communities.

Related Posts:

• Google Uncovers LOSTKEYS Malware Used by Russian COLDRIVER for Cyber Espionage
• Russia-Linked Threat Actors Continue to Target Critical Infrastructure
• Apple Issues New Spyware Alerts for French Officials and Journalists
• APT29 Targets European Diplomats with Wine-Themed Phishing
• State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy