COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware Activity
Summary
Hide ▲
Show ▼
COLDRIVER (aka Star Blizzard/UNC4057/Callisto) has shifted from LOSTKEYS to rapidly changing NOROBOT/YESROBOT/MAYBEROBOT tooling in a ClickFix-style campaign, using fake “I am not a robot” CAPTCHA lures to make targets run a malicious DLL through rundll32.exe. Google Threat Intelligence Group says the tooling evolved from May through September 2025, with MAYBEROBOT and NOROBOT observed in attacks between June and September and a split-key delivery chain used to make the final payload harder to reconstruct. Zscaler identified NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX, aligning the new reporting with the same malware thread.
Related Happenings
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware Activity
First: 22.04.2026 10:58
Last: 22.04.2026 10:58
Sources 1
About this happening:
An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
LOTUSLITE evolved backdoor activity in India banking-sector targeting
Malware ActivityAbout this happening: An **evolved LOTUSLITE** backdoor is now being deployed with **remote shell**, **file operations**, **session management**, and **data exfiltration** capabilities, extending an **...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
LeakNet ClickFix compromised-website targeting campaign
Campaign
First: 17.03.2026 16:34
Last: 17.03.2026 16:34
Sources 1
About this happening:
The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
LeakNet ClickFix compromised-website targeting campaign
CampaignAbout this happening: The **LeakNet** ransomware operation has shifted to **ClickFix** delivery through **compromised websites**, broadening its initial access playbook and making compromise harder to...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
Timeline
-
26.09.2025 15:45 4 articles · 8mo ago
COLDRIVER ClickFix campaign deploys BAITSWITCH and SIMPLEFIX
Initial DisclosureCOLDRIVER ran a new ClickFix-style campaign against civil society-linked targets that used a fake CAPTCHA pretext to make a victim run a malicious DLL in the Windows Run dialog, then contacted captchanom[.]top to fetch BAITSWITCH, downloaded the SIMPLEFIX PowerShell backdoor from southprovesolutions[.]com, presented a decoy document on Google Drive, stored encrypted payloads in the Windows Registry, and used PowerShell commands and binaries over C2 channels to support persistence and exfiltration.
Show sources
- New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45
- New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45
- Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers — thehackernews.com — 21.10.2025 10:29
- Russian hackers evolve malware pushed in "I am not a robot" captchas — www.bleepingcomputer.com — 21.10.2025 18:13