Date: 10/01/2025
Severity: High
Summary
In September 2025, our team uncovered a new multi-stage ClickFix campaign likely aimed at Russian civil society. The campaign is attributed with moderate confidence to the Russia-linked APT group COLDRIVER. COLDRIVER, also known as Star Blizzard or Callisto, is known for credential phishing and targeting NGOs, journalists, and activists. Their tactics heavily rely on social engineering to infiltrate both Western and Russian targets. We identified two new malware strains used in this campaign: BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell backdoor).
Indicators of Compromise (IOC) List
Domains\URLs : | preentootmist.org blintepeeste.org captchanom.top southprovesolutions.com https://preentootmist.org/?uinfo_message=Resilient_Voices https://blintepeeste.org/?u_storages=Resilient_Voices_concept https://captchanom.top/check/machinerie.dll https://captchanom.top/coup/premier https://captchanom.top/coup/deuxieme https://captchanom.top/coup/troisieme https://captchanom.top/coup/quatre https://southprovesolutions.com/FvFLcsr23 https://southprovesolutions.com/Zxdf https://southprovesolutions.com/KZouoRc https://southprovesolutions.com/EPAWl https://southprovesolutions.com/VUkXugsYgu https://drive.google.com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view |
Hash : | 87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48
62ab5a28801d2d7d607e591b7b2a1e9ae0bfc83f9ceda8a998e5e397b58623a0
16a79e36d9b371d1557310cb28d412207827db2759d795f4d8e27d5f5afaf63f
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://captchanom.top/coup/troisieme" or url like "https://captchanom.top/coup/troisieme" or siteurl like "https://captchanom.top/coup/troisieme" or domainname like "https://drive.google.com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view" or url like "https://drive.google.com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view" or siteurl like "https://drive.google.com/file/d/1UiiDBT33N7unppa4UMS4NY2oOJCM-96T/view" or domainname like "https://captchanom.top/coup/quatre" or url like "https://captchanom.top/coup/quatre" or siteurl like "https://captchanom.top/coup/quatre" or domainname like "https://captchanom.top/check/machinerie.dll" or url like "https://captchanom.top/check/machinerie.dll" or siteurl like "https://captchanom.top/check/machinerie.dll" or domainname like "https://preentootmist.org/?uinfo_message=Resilient_Voices" or url like "https://preentootmist.org/?uinfo_message=Resilient_Voices" or siteurl like "https://preentootmist.org/?uinfo_message=Resilient_Voices" or domainname like "blintepeeste.org" or url like "blintepeeste.org" or siteurl like "blintepeeste.org" or domainname like "https://blintepeeste.org/?u_storages=Resilient_Voices_concept" or url like "https://blintepeeste.org/?u_storages=Resilient_Voices_concept" or siteurl like "https://blintepeeste.org/?u_storages=Resilient_Voices_concept" or domainname like "captchanom.top" or url like "captchanom.top" or siteurl like "captchanom.top" or domainname like "southprovesolutions.com" or url like "southprovesolutions.com" or siteurl like "southprovesolutions.com" or domainname like "preentootmist.org" or url like "preentootmist.org" or siteurl like "preentootmist.org" or domainname like "https://southprovesolutions.com/FvFLcsr23" or url like "https://southprovesolutions.com/FvFLcsr23" or siteurl like "https://southprovesolutions.com/FvFLcsr23" or domainname like "https://southprovesolutions.com/VUkXugsYgu" or url like "https://southprovesolutions.com/VUkXugsYgu" or siteurl like "https://southprovesolutions.com/VUkXugsYgu" or domainname like "https://southprovesolutions.com/Zxdf" or url like "https://southprovesolutions.com/Zxdf" or siteurl like "https://southprovesolutions.com/Zxdf" or domainname like "https://captchanom.top/coup/premier" or url like "https://captchanom.top/coup/premier" or siteurl like "https://captchanom.top/coup/premier" or domainname like "https://captchanom.top/coup/deuxieme" or url like "https://captchanom.top/coup/deuxieme" or siteurl like "https://captchanom.top/coup/deuxieme" or domainname like "https://southprovesolutions.com/KZouoRc" or url like "https://southprovesolutions.com/KZouoRc" or siteurl like "https://southprovesolutions.com/KZouoRc" or domainname like "https://southprovesolutions.com/EPAWl" or url like "https://southprovesolutions.com/EPAWl" or siteurl like "https://southprovesolutions.com/EPAWl" |
Detection Query 2 : | sha256hash IN ("62ab5a28801d2d7d607e591b7b2a1e9ae0bfc83f9ceda8a998e5e397b58623a0","87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48","16a79e36d9b371d1557310cb28d412207827db2759d795f4d8e27d5f5afaf63f")
|
Reference:
https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix#introduction