Close Menu
Cybercrime and Ransomware

New ColdDriver Malware Campaign Emerges in Russia-Focused Attacks

Staff WriterBy No Comments5 Mins Read6 Views

Fast Facts

  1. The Russian APT group COLDRIVER has launched new ClickFix-style attacks, deploying lightweight malware BAITSWITCH and SIMPLEFIX to deliver backdoors and establish persistence.
  2. These attacks manipulate victims into executing malicious DLLs disguised as CAPTCHA checks, which communicate with attacker-controlled servers to download payloads and erase traces of infection.
  3. Targeting primarily NGOs, human rights advocates, and civil society connected to Russia, COLDRIVER’s sophisticated tactics include data exfiltration, remote command execution, and complex C2 communications.
  4. Concurrently, Russian cybersecurity reports reveal new campaigns by BO Team and Bearlyfy, involving espionage tools and ransomware aimed at Russian companies, with Bearlyfy operating since early 2025 and linked to broader pro-Ukrainian efforts.

Problem Explained

The Russian-linked cyber espionage group known as COLDRIVER has recently launched a new wave of sophisticated cyberattacks utilizing a “ClickFix” tactic to infect targets with lightweight malware families called BAITSWITCH and SIMPLEFIX. These attacks involve tricking users into executing malicious DLL files disguised as CAPTCHA completion prompts in the Windows Run dialog, which then communicate with attacker-controlled servers to deliver the backdoors. The malware is designed to establish persistence, collect system information, and exfiltrate data, all while erasing traces of the intrusion. Reported by security researchers at Zscaler ThreatLabz, this campaign primarily targets civil society members connected to Russia, including NGOs and exiled individuals, reflecting COLDRIVER’s longstanding focus on Western organizations and Russia-related entities. The attack pattern, previously documented by Google Threat Intelligence, underscores the group’s technical evolution and persistent use of clever deception tools, confirming their ongoing intent to exploit weaknesses in user trust and digital infrastructure.

Meanwhile, other malicious actors are operating within the broader Russian cyber landscape, including the BO Team (aka Black Owl) deploying a C# version of the backdoor BrockenDoor and the newly active Bearlyfy group, which has been attacking Russian companies with ransomware like LockBit 3.0 and Babuk since early 2025. Bearlyfy’s tactics involve exploiting vulnerabilities such as Zerologon and vulnerable third-party applications to gain initial access, often demanding ransom payments that are modest but effective, with some victims purchasing decryption tools. These actors, some possibly aligned with or mimicking pro-Ukrainian groups, demonstrate a layered cyber conflict within Russia and its adversaries, with reports originating from cybersecurity firms like Kaspersky and F6 providing detailed insights into their operations and targets.

Potential Risks

Cyber risks associated with advanced persistent threat (APT) groups like Russia-linked COLDRIVER and others pose significant threats to global cybersecurity, especially targeting sectors such as NGOs, human rights groups, think tanks, and politically sensitive entities. These groups leverage sophisticated tactics, including ClickFix-style multi-stage malware campaigns deploying lightweight backdoors like BAITSWITCH and SIMPLEFIX, which exploit social engineering and technical vulnerabilities—such as fake CAPTCHA prompts and DLL injections—to establish persistent access, exfiltrate sensitive data, and maintain command-and-control communication with remote servers. Their operations, characterized by evolving toolsets like custom malware, spear-phishing, exploitation of vulnerabilities (e.g., Zerologon), and targeted ransomware attacks (e.g., LockBit, Babuk), culminate in grave consequences: data breaches, financial extortion, operational disruption, and erosion of trust. The campaign’s ability to adapt and incorporate stealthy techniques underscores the persistent and dynamic nature of cyber threats, emphasizing the urgent need for robust detection, proactive cybersecurity measures, and vigilant threat intelligence to safeguard national and organizational security.

Possible Action Plan

Prompted by the rapidly evolving landscape of cyber threats, timely remediation in the case of the ‘New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks’ is critically important to thwart widespread damage, prevent further breaches, and safeguard sensitive data. Swift action minimizes the window of vulnerability and curtails the campaign’s momentum, ultimately protecting organizational assets and maintaining trust.

Mitigation Strategies

  • Threat Detection and Analysis: Employ advanced threat hunting tools to identify indicators of compromise associated with the malware campaign.
  • Network Segmentation: Isolate affected segments of the network to contain the spread and prevent lateral movement.
  • Update and Patch: Ensure all systems and applications are up-to-date with the latest security patches to close known vulnerabilities.
  • Access Control: Enforce strict access controls and multi-factor authentication to limit attacker movement and reduce impact.
  • User Awareness: Educate staff about phishing tactics and suspicious activity to reduce the risk of initial infection.

Remediation Procedures

  • Malware Removal: Deploy specialized antivirus and anti-malware solutions to detect and eliminate the malware.
  • System Restoration: Reimage or restore affected systems from clean backups to ensure removal of malicious artifacts.
  • Log Analysis: Conduct comprehensive log reviews to assess the attack scope and identify compromised data or accounts.
  • Secure Communication: Notify relevant stakeholders and authorities, and review communication channels for compromise.
  • Post-Incident Review: Perform a detailed forensic analysis to understand the attack vector and update security policies accordingly.

Explore More Security Insights

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.