COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX

In September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057) is a group known to leverage social-engineering techniques to target NGOs, think tanks, journalists, and human rights defenders, both in Western countries and in Russia.

Historically, their primary attack vector is credential phishing. However, beginning in 2025, COLDRIVER added the ClickFix technique to their arsenal.

Key Takeaways

• COLDRIVER is a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
• ThreatLabz discovered two new lightweight malware families used by the group: a downloader named BAITSWITCH, and a PowerShell backdoor named SIMPLEFIX.
• The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced.
• COLDRIVER remains active in targeting members of civil society, both in the Western regions and Russia.
• COLDRIVER employs server-side checks to selectively deliver malicious code based on the user-agent and characteristics of the infected machine.

To read the complete article, see: Zscaler Blog.