BAITSWITCH and SIMPLEFIX Malware
The Russian advanced persistent threat (APT) group known as COLDRIVER launched a fresh round of ClickFix-style attacks, delivering two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX.
Earlier this month, Zscaler ThreatLabz detected the new multi-stage ClickFix campaign. The team described BAITSWITCH as a downloader that ultimately drops SIMPLEFIX, a PowerShell backdoor.
COLDRIVER, also tracked as Callisto, Star Blizzard, and UNC4057, represents a Russia-linked threat actor that has targeted a wide range of sectors since 2019. Initially, the group relied on spear-phishing lures to redirect targets to credential-harvesting pages. Over time, however, it expanded its arsenal with custom tools such as SPICA and LOSTKEYS, which demonstrates its technical sophistication.
Previously, the Google Threat Intelligence Group (GTIG) documented COLDRIVER’s use of ClickFix tactics in May 2025. During those attacks, the adversary set up fake sites with fake CAPTCHA verification prompts that tricked victims into executing a PowerShell command designed to deliver the LOSTKEYS Visual Basic Script.
“The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced,” Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week.
How it works?
In the latest campaign, COLDRIVER follows the same modus operandi by tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. BAITSWITCH, the DLL, then connects to an attacker-controlled domain (“captchanom[.]top”) to fetch the SIMPLEFIX backdoor. At the same time, victims receive a decoy document hosted on Google Drive.
Moreover, the malware issues several HTTP requests to the same server to transmit system information, receive commands that establish persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, and clear the most recent command executed in the Run dialog. These steps effectively erase traces of the ClickFix attack that triggered the infection.
Next, the downloaded PowerShell stager contacts an external server (“southprovesolutions[.]com”) to download SIMPLEFIX. This backdoor then establishes communication with a command-and-control (C2) server and executes PowerShell scripts, commands, and binaries hosted on remote URLs.
Additionally, one of the PowerShell scripts executed via SIMPLEFIX exfiltrates information about a hard-coded list of file types stored in pre-configured directories. This list of directories and file extensions overlaps with those targeted by LOSTKEYS.
“The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia,” Zscaler said. “The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.”
BO Team and Bearlyfy Target Russia
The development comes as Kaspersky reported observing a new phishing campaign in early September that targeted Russian companies. The BO Team group (also known as Black Owl, Hoody Hyena, and Lifting Zmiy) carried out the attacks using password-protected RAR archives to deliver a new version of BrockenDoor rewritten in C# and an updated version of ZeronetKit.
ZeronetKit, a Golang backdoor, includes capabilities that allow attackers to remotely access compromised hosts, upload and download files, execute commands using cmd.exe, and create a TCP/IPv4 tunnel. Some newer versions also add support for downloading and executing shellcode, updating the communication interval with the C2 server, and modifying the C2 server list.
“ZeronetKit is unable to independently persist on an infected system, so attackers use BrockenDoor to copy the downloaded backdoor to startup,” the Russian cybersecurity vendor said.
Meanwhile, another development involves the emergence of a new group called Bearlyfy. This group has deployed ransomware strains such as LockBit 3.0 and Babuk in attacks against Russia. Initially, Bearlyfy focused on smaller companies for smaller ransoms, but since April 2025, it has escalated to targeting larger firms in the country, according to F6. By August 2025, the group is estimated to have compromised at least 30 victims.
In one incident against a Consulting company, the threat actors Weaponized a vulnerable version of Bitrix for initial access and then used the Zerologon flaw to Escalate privileges. In another attack Observed in July, the group gained initial access through an unnamed partner company.
“In the most recent recorded attack, the attackers demanded €80,000 in cryptocurrency, while in the first attack, the ransom was several thousand dollars,” F6 researchers said. “Due to the relatively low ransom amounts, on average, every fifth victim buys decryptors from the attackers.”
Researchers assess that Bearlyfy has been active since January 2025. A deeper analysis of its tools revealed infrastructure Overlaps with a likely Pro-Ukrainian threat group called PhantomCore, which has a record of targeting Russian and Belarusian companies since 2022. Despite the similarities, experts believe Bearlyfy operates as an Autonomous entity.
“PhantomCore implements complex, multi-stage attacks typical of APT campaigns,” the company said. “Bearlyfy, on the other hand, uses a different model: attacks with minimal preparation and a targeted focus on achieving an immediate effect. Initial access is achieved through exploitation of external services and vulnerable applications. The primary toolkit is aimed at encryption, destruction, or modification of data.”
Source: TheHackerNews
Read more at Impreza News
