The Reveal Platform
Intel Name: Coldriver updates arsenal with baitswitch and simplefix
Date of Scan: October 1, 2025
Impact: High
Summary: In September 2025, our team uncovered a new multi-stage ClickFix campaign likely aimed at Russian civil society. The campaign is attributed with moderate confidence to the Russia-linked APT group COLDRIVER. COLDRIVER, also known as Star Blizzard or Callisto, is known for credential phishing and targeting NGOs, journalists, and activists. Their tactics heavily rely on social engineering to infiltrate both Western and Russian targets. We identified two new malware strains used in this campaign: BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell backdoor).
