Follow on X RSS Feed
COLDRIVER

COLDRIVER targets policy and critical infrastructure using BAITSWITCH-SIMPLEFIX chain

Cybersec Sentinel

7 min read
COLDRIVER targets policy and critical infrastructure using BAITSWITCH-SIMPLEFIX chain

Threat Group – COLDRIVER
Threat Type – Espionage malware and social engineering
Exploited Vulnerabilities – User execution via ClickFix lure, abuse of rundll32, script execution and registry-based persistence (no CVEs assigned)
Malware Used – BAITSWITCH downloader, SIMPLEFIX PowerShell backdoor, LOSTKEYS VBS payload, SPICA backdoor
Threat Score – 8.2 🔴 High
Last Threat Observation – 25 September 2025

Overview

This advisory presents a comprehensive analysis of COLDRIVER’s recent operational evolution. Historically associated with credential phishing and session cookie theft, the actor has advanced to custom, multi-stage malware delivery that blends precise social engineering with fileless persistence. In 2025 we observe two technologically related tracks:

  • A September 2025 campaign anchored on the BAITSWITCH downloader and the SIMPLEFIX PowerShell backdoor, delivered through a ClickFix-style lure and executed via rundll32.
  • A January–April 2025 campaign culminating in the LOSTKEYS VBS payload that steals documents and device telemetry, preceded by anti-virtualisation checks and multi-stage decoding.

These developments reinforce a shift from broad identity theft toward targeted espionage with stronger operational security, environmental evasion, and forensic artefact minimisation.

Key Findings

  • New toolchain: COLDRIVER introduced BAITSWITCH (downloader) and SIMPLEFIX (PowerShell backdoor) alongside the previously documented LOSTKEYS and SPICA families.
  • Tighter tradecraft: Campaigns feature fileless persistence in the Windows registry, server-side traffic signalling keyed on a specific user-agent, anti-analysis checks, and deliberate clearing of RunMRU entries to hamper forensics.
  • Strategic targeting: Focus remains on NATO-aligned nations with confirmed emphasis on government, defence, think tanks, journalists and NGOs, plus increased interest in U.S. nuclear research and SCADA sectors. The intent exceeds passive espionage and raises the prospect of access preparation against critical infrastructure.
  • Delivery evolution: ClickFix-style pages impersonate security mechanisms such as Cloudflare Turnstile and manufacture a “quick fix” interaction that plants commands into the Windows Run dialog. This defeats many gateway-level protections by weaponising user action.

Top-Level Recommendations

  • Deploy EDR/MDR capable of rich telemetry on script hosts, registry changes, and rundll32 child processes; tune detections to this advisory’s TTPs.
  • Run targeted user education programs that specifically simulate ClickFix copy-paste flows into Win+R and teach refusal/verification behaviours.
  • Establish threat-hunting playbooks for RunMRU anomalies, UserInitMprLogonScript abuse, registry-resident payload blobs, and user-agent-gated C2.
  • Enforce egress filtering and protective DNS, continuously ingesting IoCs and newly observed infrastructure.
  • Move high-value users to phishing-resistant MFA and risk-adaptive access controls.

Threat Actor Profile

Aliases and Attribution

Also tracked as Star Blizzard, Callisto Group, SEABORGIUM, TA446, BlueCharlie, UNC4057, GOSSAMER BEAR, IRON FRONTIER, TAG-53. Broadly attributed to the Russian state with ties to the FSB. Public indictments and takedowns in recent years named individual operators and disrupted infrastructure. Normalise reporting across aliases to avoid intelligence gaps.

Motivation and Strategic Objectives

Primary objective is state-aligned intelligence collection. Targeting prioritises policy-relevant communities: government officials, defence and military personnel, diplomats, academics, NGOs, think tanks, and journalists. Recent reporting highlights interest in U.S. nuclear research laboratories and the SCADA ecosystem, indicating potential pre-positioning and risks beyond data theft.

Historical Context and Evolution of TTPs

Active since at least 2019, historically leveraging spear-phishing and EvilGinx-style cookie theft to bypass MFA. As identity defences matured, COLDRIVER adopted custom implants. SPICA signalled that pivot; in 2025, LOSTKEYS and the BAITSWITCH/SIMPLEFIX chain show maturation into multi-stage, environment-aware intrusion sets, with social engineering upgraded from document lures to ClickFix flows that exploit trust in security controls and OS prompts.

Technical Analysis of Recent Campaigns

BAITSWITCH and SIMPLEFIX campaign

Stage 1 – ClickFix social engineering
Victims are led to a lure page that impersonates a resource for exiled Russian civil society. The page mimics a Cloudflare Turnstile checkbox and, on click, copies a rundll32 command to the clipboard and prompts pasting into Win+R. This:

  • Bypasses many email/web gateway controls by converting the browser into a manual execution channel.
  • Proxies execution through a signed Windows binary.
  • Clears RunMRU at the end to reduce forensic artefacts.

Stage 2 – BAITSWITCH downloader
A DLL (observed as machinerie.dll) retrieves stages via user-agent-gated HTTP and sets persistence via HKCU\Environment\UserInitMprLogonScript to trigger a PowerShell stager at next logon. Behaviour includes a small sequence of HTTP requests across primary and fallback domains, returning benign responses without the specific user-agent string.

Stage 3 – SIMPLEFIX PowerShell backdoor
Fileless PowerShell backdoor storing encrypted payloads/keys in benign-looking registry values (examples include EnthusiastMod and QatItems). Supports host discovery, data staging, and retrieval/launch of follow-on payloads. Shares obfuscation traits with the stagers to blend in endpoint telemetry.

LOSTKEYS campaign

Chain and evasion
Begins with a fake CAPTCHA lure but adds anti-VM checks by hashing display resolution and aborting on common lab profiles.

Payload
VBS-based LOSTKEYS: targeted file theft from specified directories/extensions, system inventory, process lists. Multi-stage decoding with per-chain keys (VBS decoder plus secondary key) and Base64 wrapping. Samples compiled as early as late 2023 suggest prior testing or code reuse.

Key Details

Delivery Method

  • ClickFix pages that weaponise a security-looking checkbox to drive Win+R paste of a rundll32 command.
  • rundll32 proxies the BAITSWITCH loader; staged retrievals use specific user-agent signals.
  • Persistence established via logon scripts and registry.

Target

  • Government, defence, and military communities; NGOs, think tanks, journalists, academics.
  • Increased attention to U.S. nuclear research and SCADA stakeholders.

Functions

  • BAITSWITCH: downloader, persistence, controlled C2 retrieval.
  • SIMPLEFIX: registry-resident PowerShell backdoor, discovery, second-stage delivery.
  • LOSTKEYS: document theft and host profiling with multi-key decoding.
  • SPICA: earlier backdoor with cookie and command capabilities.

Obfuscation

  • Fileless registry storage of encrypted blobs/keys and in-memory execution.
  • User-agent signalling to mask C2 unless the correct header is present.
  • Anti-VM based on display resolution hashes.
  • RunMRU clearing to hide the most obvious user-execution trail.
  • Layered encoding with unique per-chain keys.

Attack Vectors

  1. Persona reconnaissance and target selection.
  2. Lure delivery and clipboard-seeded command execution.
  3. BAITSWITCH staging and logon-script persistence.
  4. SIMPLEFIX deployment and tasking.
  5. Discovery, exfiltration, optional follow-on tooling.
  6. Artefact minimisation and clean-up.

Indicators of Compromise (Defanged)

BAITSWITCH / SIMPLEFIX campaign

Domains and URLs

  • captchanom[.]top
  • southprovesolutions[.]com
  • preentootmist[.]org
  • blintepeeste[.]org
  • drive[.]google[.]com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view

File hashes (SHA256)

  • 87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48 — BAITSWITCH machinerie.dll
  • 62ab5a28801d2d7d607e591b7b2a1e9ae0bfc83f9ceda8a998e5e397b58623a0 — Stager PowerShell FvFLcsr23.ps1
  • 16a79e36d9b371d1557310cb28d412207827db2759d795f4d8e27d5f5afaf63f — SIMPLEFIX backdoor

Registry keys of interest

  • HKCU\Environment\UserInitMprLogonScript
  • Registry values resembling EnthusiastMod and QatItems with large encoded blobs

Behavioural beacons

  • rundll32.exe execution of DLLs from user-writable paths
  • PowerShell launched from logon scripts with hidden windows
  • HTTP requests that only succeed when using the specific Chromium-like user-agent string

LOSTKEYS campaign

Domains and IP addresses

  • 165[.]227[.]148[.]68
  • cloudmediaportal[.]com

File hashes (MD5 and SHA256)

  • 13f7599c94b9d4b028ce02397717a128 / 2a46f07b9d3e2f8f2b3213fa8884b029 — Stage 1
  • 4c7accba35edd646584bb5a40ab78f96 / 3de45e5fc816e62022cd7ab1b01dae9c — Stage 2
  • 6b85d707c23d68f9518e757cc97adb20 / adc8accb33d0d68faf1d8d56d7840816 — Stage 3
  • 3233668d2e4a80b17e6357177b53539d / f659e55e06ba49777d0d5171f27565dd — Decoder script
  • 6bc411d562456079a8f1e38f3473c33a / de73b08c7518861699e9863540b64f9a — Encoded payload
  • 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9 — Decoded payload

Domains and IP

  • njala[.]dev
  • 80[.]66[.]88[.]67

File hashes

  • b55cdce773bc77ee46b503dbd9430828
  • cc0f518b94289fbfa70b5fbb02ab1847
  • 02ce477a07681ee1671c7164c9cc847b01c2e1cd50e709f7e861eaab89c69b6f
  • 8af28bb7e8e2f663d4b797bf3ddbee7f0a33f637a33df9b31fbb4c1ce71b2fee

Impersonation and lure identity

  • Email observed: narnobudaeva[@]gmail[.]com

Mitigation and Prevention

User Awareness

  • Train staff to treat any Win+R paste prompts as hostile unless verified by policy.
  • Embed ClickFix simulations into phishing exercises.
  • Require out-of-band verification for unexpected document access requirements.

Email Filtering

  • Quarantine HTML attachments with auto-copy JavaScript.
  • Route first-clicks on external links for high-risk users through browser isolation.
  • Rewrite/disable embedded links from unknown senders.

Antivirus and Endpoint Protection

  • Enforce Constrained Language Mode for PowerShell and restrict rundll32 from user-writable paths.
  • Monitor and alert on HKCU\Environment\UserInitMprLogonScript creation or modification.
  • Detect hidden-window PowerShell invocations from logon scripts; hunt for registry values containing large Base64 blobs.

Two-Factor Authentication

  • Mandate phishing-resistant MFA for high-value users.
  • Rapidly invalidate and rotate active sessions after risk events.

Log Monitoring

  • Audit RunMRU anomalies and subsequent deletion.
  • Track egress user-agent strings and block unexpected ones used to gate C2.
  • Use protective DNS to block newly registered or suspicious domains overlapping campaign infrastructure.

Regular Updates

  • Keep scripting components and browsers current.
  • Tighten DLL search path policies and apply application allow-listing where feasible.

TTP Mapping to MITRE ATT&CK

TacticIDNameUse by COLDRIVER
Initial AccessT1566.001Spearphishing AttachmentHistoric lure documents to elicit engagement.
Initial AccessT1566.003Spearphishing LinkRedirection to verification/document portals.
Initial AccessT1566.004Phishing for InformationImpersonation to establish rapport.
ExecutionT1204.002User Execution Malicious FileOpening staged files or loaders.
ExecutionT1204.004User Execution Malicious CommandClickFix flow prompts rundll32 via Win+R.
ExecutionT1059.001PowerShellStagers and SIMPLEFIX backdoor.
PersistenceT1037.001Boot or Logon Init ScriptsUserInitMprLogonScript abuse.
PersistenceT1112Modify RegistryPayload/key storage for fileless persistence.
PersistenceT1078Valid AccountsUse of stolen credentials.
Defence EvasionT1218.011System Binary Proxy Execrundll32 for BAITSWITCH.
Defence EvasionT1027Obfuscated/Encoded FilesBase64, custom substitution.
Defence EvasionT1070.003Indicator Removal on HostClearing RunMRU.
Defence EvasionT1564.003Hide ArtifactsHidden PowerShell windows and quiet staging.
Defence EvasionT1205Traffic SignallingUser-agent gated C2 responses.
Credential AccessT1539Steal Web Session CookieEvilGinx lineage.
Credential AccessT1550.004Alternate Auth MaterialCookie reuse to bypass MFA.
DiscoveryT1033System Owner/User DiscoverySIMPLEFIX host info.
DiscoveryT1082System Information DiscoveryHost profiling.
CollectionT1005Data from Local SystemLOSTKEYS document theft.
Command and ControlT1071.001Web ProtocolsHTTPS staging and C2.

Risk Assessment

Threat Score – 8.2 🔴 High

  • Capability: Custom downloader and backdoor, fileless registry persistence, anti-analysis, and C2 gating.
  • Intent: State-aligned espionage with meaningful critical-infrastructure interest.
  • Opportunity: User execution required but reliably induced via convincing lures and trusted OS prompts.
  • Impact: Loss of sensitive policy data, access preparation against critical infrastructure, reputational and regulatory exposure.
  • Detectability: Moderate with tuned analytics and proactive hunting; designed to frustrate defaults.

Conclusion

COLDRIVER’s 2025 tradecraft demonstrates a disciplined shift from credential theft to custom multi-stage implants and fileless persistence that exploit trust in browser security widgets and Windows UI flows. BAITSWITCH and SIMPLEFIX provide a quiet, resilient foothold for collection and follow-on actions, while LOSTKEYS persists as a targeted document-theft capability with careful anti-analysis design.

Treat any browser page that requests a Run dialog paste as hostile by default. Bake these TTPs into EDR rules, network egress policies, and awareness training. Prioritise protections for policy and research communities with phishing-resistant MFA and risk-based access, and keep hunt playbooks ready for RunMRU, registry-resident payloads, and user-agent-gated C2.

Sources