The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX.
Zscaler ThreatLabz, which detected the new multi-stage ClickFix campaign earlier this month, described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor.
COLDRIVER, also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that’s known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS, which underscores its technical sophistication.
The adversary’s use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2025, using fake sites serving fake CAPTCHA verification prompts to trick the victim into executing a PowerShell command that’s designed to deliver the LOSTKEYS Visual Basic Script.
“The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week.
The latest attack chain follows the same modus operandi, tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. The DLL, BAITSWITCH, reaches out to an attacker-controlled domain (“captchanom[.]top”) to fetch the SIMPLEFIX backdoor, while a decoy document hosted on Google Drive is presented to the victims.
It also makes several HTTP requests to the same server to send system information, receive commands to establish persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, clear the most recent command executed in the Run dialog, effectively erasing traces of the ClickFix attack that triggered the infection.
The downloaded PowerShell stager subsequently reaches out to an external server (“southprovesolutions[.]com”) to download SIMPLEFIX, which, in turn, establishes communication with a command-and-control (C2) server to run PowerShell scripts, commands, and binaries hosted on remote URLs.
One of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about a hard-coded list of file types found in a pre-configured list of directories. The list of directories and file extensions scanned shares overlaps with that of LOSTKEYS.
“The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia,” Zscaler said. “The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.”
BO Team and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
