CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

COLDRIVER APT Group Uses ClickFix Tactics to Deliver BAITSWITCH and SIMPLEFIX Malware

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The COLDRIVER APT group has launched a new campaign using ClickFix tactics to deliver two new malware families, BAITSWITCH and SIMPLEFIX. The campaign targets individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. BAITSWITCH acts as a downloader for SIMPLEFIX, a PowerShell backdoor. The attack chain involves tricking victims into running a malicious DLL via a fake CAPTCHA check, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server. The campaign aligns with COLDRIVER's known victimology, focusing on civil society members connected to Russia. The group has been active since 2019, using spear-phishing and custom tools like SPICA and LOSTKEYS. The latest campaign demonstrates the group's continued use of effective infection vectors, despite their lack of technical sophistication.

Timeline

  1. 26.09.2025 15:45 1 articles · 3d ago

    COLDRIVER Launches New Campaign Using BAITSWITCH and SIMPLEFIX Malware

    In September 2025, the COLDRIVER APT group launched a new campaign using ClickFix tactics to deliver BAITSWITCH and SIMPLEFIX malware. The campaign targets individuals and organizations connected to Russia, including NGOs, human rights defenders, and think tanks. The attack chain involves a fake CAPTCHA check to trick victims into running a malicious DLL, leading to the deployment of the SIMPLEFIX backdoor. The malware exfiltrates specific file types and establishes communication with a command-and-control server.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

Open in new tab

Global Phishing Campaign Installs Multiple RATs via JavaScript Droppers

A rapidly spreading phishing campaign is targeting Windows users worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, and retail/hospitality. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages and purchases to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft.

Open in new tab