COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX www.zscaler.com/blogs/sec…

In September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057) is a group known to leverage social-engineering techniques to target NGOs, think tanks, journalists, and human rights defenders, both in Western countries and in Russia. Historically, their primary attack vector is credential phishing. However, beginning in 2025, COLDRIVER added the ClickFix technique to their arsenal.

This blog provides a detailed technical analysis of the infection chain leading to the deployment of an undocumented downloader that we dubbed BAITSWITCH and a new PowerShell-based backdoor that we named SIMPLEFIX.