A new multi-stage ClickFix campaign, attributed to the Russia-linked APT group COLDRIVER, has been discovered targeting Russian civil society members. The campaign employs social engineering techniques to trick users into executing malicious commands, leading to the deployment of two new malware families: BAITSWITCH (a downloader) and SIMPLEFIX (a PowerShell-based backdoor). The attack chain involves a fake Cloudflare Turnstile checkbox, persistence establishment, and data exfiltration. COLDRIVER's tactics include using server-side checks, obfuscation techniques, and targeting specific file types for intelligence collection. The group's focus on NGOs, human rights defenders, and Russian exiles aligns with their known victimology.