COLDRIVER Campaign Delivers BAITSWITCH and SIMPLEFIX Malware

Timeline

1. 26.09.2025 15:45 1 articles · 2h ago

   COLDRIVER Launches New Campaign with BAITSWITCH and SIMPLEFIX Malware

   In September 2025, COLDRIVER initiated a new ClickFix-style campaign delivering BAITSWITCH and SIMPLEFIX malware. The campaign targets civil society members connected to Russia, using a malicious DLL to trick users into executing the malware. SIMPLEFIX establishes communication with a C2 server to exfiltrate information and maintain persistence. The development coincides with phishing campaigns by the BO Team and Bearlyfy targeting Russian companies.

   Show sources

   • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

   Open in new tab

Information Snippets

• COLDRIVER, also known as Callisto, Star Blizzard, and UNC4057, has been active since 2019, targeting various sectors with spear-phishing and custom malware.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• The new campaign uses ClickFix tactics to deliver BAITSWITCH, a downloader, which then drops SIMPLEFIX, a PowerShell backdoor.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• BAITSWITCH communicates with the domain 'captchanom[.]top' to fetch SIMPLEFIX and sends system information to the same server.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• SIMPLEFIX establishes communication with a C2 server to run PowerShell scripts and commands, exfiltrating information from specific directories.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• The campaign targets members of civil society connected to Russia, aligning with COLDRIVER's known victimology.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• The BO Team group targeted Russian companies in early September 2025 using a new version of BrockenDoor and ZeronetKit.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• ZeronetKit is a Golang backdoor with capabilities for remote access, file upload/download, command execution, and TCP/IPv4 tunneling.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• Bearlyfy, active since January 2025, has targeted Russian companies with ransomware strains like LockBit 3.0 and Babuk, demanding ransoms ranging from thousands to €80,000.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45

• Bearlyfy's infrastructure overlaps with the pro-Ukrainian group PhantomCore, but Bearlyfy operates autonomously with a focus on immediate effects.

  First reported: 26.09.2025 15:45
  1 source, 1 article
  Show sources

  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks — thehackernews.com — 26.09.2025 15:45