Updates Arsenal with BAITSWITCH and SIMPLEFIX

Sept. 24, 2025, 8:07 p.m.

Description

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware families: BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell-based backdoor). The attack chain involves a fake Cloudflare Turnstile checkbox, persistence establishment, and data exfiltration. COLDRIVER's tactics include using server-side checks, obfuscation techniques, and targeting specific file types for intelligence collection. The group's focus on NGOs, human rights defenders, and Russian exiles aligns with their known victimology.

External References

https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
https://otx.alienvault.com/pulse/68d4149d18e6eb7158e2d30c
Tags
backdoor
apt
social engineering
powershell
russia
clickfix
2025-09-24
baitswitch
simplefix

Date

  • Created: Sept. 24, 2025, 3:56 p.m.
  • Published: Sept. 24, 2025, 3:56 p.m.
  • Modified: Sept. 24, 2025, 8:07 p.m.

Attack Patterns

  • COLDRIVER

Additional Informations

  • NGO
  • Government
  • Russian Federation