The Russian cyber espionage group COLDRIVER is adding the ClickFix attack method to its arsenal. The Zscaler ThreatLabz team discovered two new malware families, BAITSWITCH and SIMPLEFIX, which the group uses to selectively spread malware. This development shows that advanced threat actors continue to adapt to new techniques to reach their targets.
COLDRIVER, also known as Star Blizzard, Callisto, and UNC4057, is known for targeting NGOs, think tanks, journalists, and human rights activists. The group previously focused primarily on phishing to steal credentials. Zscaler has now discovered that it has expanded its tactics to include ClickFix campaigns.
The attack chain uses two new lightweight malware families. BAITSWITCH acts as a downloader, while SIMPLEFIX works as a PowerShell backdoor. The group uses server-side controls to determine who receives the malicious code based on user agent and machine characteristics. This selective approach makes the attacks more targeted and difficult to detect.
Strategic targets
Based on the research, Zscaler can confidently determine that this campaign was executed by COLDRIVER, a Russian state-sponsored threat group. The attacks target individuals with strong connections within organizations that are strategically important to Russia.
By compromising these individuals, the group also attempts to further penetrate their networks through targeted phishing campaigns. This fits into the broader pattern of state-sponsored cyber operations targeting specific sectors and communities.
Protection against the attacks
Due to the heavy use of deception and false online identities, Singh advises organizations to always verify the authenticity of contacts through reliable, independent channels. In addition, it is essential to use phishing-resistant multi-factor authentication, such as FIDO2 or WebAuthn.
Basic measures remain effective against these types of threats. Enforcing least privilege access and using tools such as Windows AppLocker or App Control to block scripts and binary files help organizations defend themselves. Technologies such as Zscaler Browser Isolation can restrict clipboard interactions and user actions on untrusted websites, providing an additional layer of protection.
Tip: Social engineering: an increasingly serious security problem