Ddos 
Image: Google Threat Intelligence Group
Google’s Threat Intelligence Group (GTIG) has uncovered a major post-exposure evolution in the operations of COLDRIVER—a Russian state-sponsored threat actor also tracked as UNC4057, Star Blizzard, and Callisto. Within just five days of the public disclosure of its LOSTKEYS malware in May 2025, COLDRIVER began deploying a new malware ecosystem collectively dubbed the “ROBOT” family, including NOROBOT, YESROBOT, and MAYBEROBOT, delivered through an updated ClickFix lure masquerading as a CAPTCHA test.
According to Google Threat Intelligence, “COLDRIVER swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later.”
The group’s response demonstrates a well-resourced capability to rebuild and rearm after exposure. GTIG notes, “It is unclear how long COLDRIVER had this malware in development, but we have not observed a single instance of LOSTKEYS since publication.” Instead, the new ROBOT-linked malware has been “used more aggressively than any other previous campaigns we have attributed to COLDRIVER.”
The infection chain begins with a new variant of the COLDCOPY “ClickFix” lure, which disguises a malicious DLL download as a CAPTCHA verification step.
“The new variant of COLDCOPY tries to get the user to download and execute a DLL using rundll32, while trying to disguise itself as a CAPTCHA by including text to verify that the user is not a robot.”
The DLL observed in the first wave was named “iamnotarobot.dll”, exported as “humanCheck”, directly inspiring the naming convention for the ROBOT series of backdoors.
The first-stage malware, NOROBOT (also referred to as BAITSWITCH by Zscaler), is a malicious DLL downloader that retrieves the next payload from a hardcoded command-and-control (C2) server.
GTIG reports that early versions of NOROBOT “used cryptography in which the key was split across multiple components and needed to be recombined to successfully decrypt the final payload.”
This design made it difficult for analysts to reconstruct the infection chain without collecting all intermediary components.
However, NOROBOT’s early builds raised suspicion due to the inclusion of an entire Python 3.8 runtime during installation — a noisy artifact that triggered detection by endpoint security tools.
Despite this, the evolution of NOROBOT shows clear signs of professionalization. Later versions removed Python dependencies and simplified the downloader to improve execution success and stealth.
Once deployed, NOROBOT delivered a Python-based backdoor dubbed YESROBOT — a hastily built, minimal command-execution implant.
“YESROBOT is a Python backdoor which uses HTTPS to retrieve commands from a hardcoded C2… It requires all commands to be valid Python, making typical functionality, such as downloading or retrieving documents, cumbersome to implement.”
Google analysts believe YESROBOT was an interim solution, stating that “YESROBOT was hastily deployed as a stopgap mechanism after our publication on LOSTKEYS.”
Within just two weeks, GTIG observed COLDRIVER abandoning YESROBOT entirely, replacing it with a more flexible PowerShell-based backdoor.
In June 2025, GTIG observed COLDRIVER shifting to a new payload named MAYBEROBOT, a PowerShell-based backdoor offering expanded operational flexibility and easier extensibility.
“MAYBEROBOT supports three commands: downloading and executing from a specified URL, executing commands using cmd.exe, and executing a PowerShell block.”
The new design provided stealthier persistence through logon script registration and eliminated the need for bulky dependencies like Python interpreters.
GTIG’s analysis concludes: “MAYBEROBOT was developed to replace YESROBOT because it does not need a Python installation to execute and allows attackers more flexibility in achieving objectives on target systems.”
Throughout June to September 2025, Google observed multiple NOROBOT variants that “highlight the group’s persistent effort to evade detection systems while ensuring continued intelligence collection against high-value targets.”
COLDRIVER experimented with simplifying and then re-complicating its infection chain, balancing stealth and operational control. At one point, cryptographic keys and downloader stages were split across registry entries and encrypted files, reintroducing complexity to hinder analysis.
“By simplifying the NOROBOT downloader, COLDRIVER inadvertently made it easier for GTIG to track their activity.”
Traditionally known for spear-phishing campaigns targeting NGOs, think tanks, and dissidents, COLDRIVER’s shift toward malware deployment indicates a strategic expansion of its toolkit.
GTIG writes: “It is currently not known why COLDRIVER chooses to deploy malware over the more traditional phishing they are known for, but it is clear they have spent significant development effort to re-tool and deploy their malware to specific targets.”
The group’s operational focus remains consistent: Western foreign policy organizations, security analysts, and activists opposing Russian state narratives.
“We believe they will continue their aggressive deployment against high-value targets to achieve their intelligence collection requirements.”
Related Posts:
- Google Uncovers LOSTKEYS Malware Used by Russian COLDRIVER for Cyber Espionage
- Russia-Linked COLDRIVER Group Expands Toolset, Using New Malware in ClickFix Espionage Campaign
- NVIDIA researchers use deep learning to allow robots to learn from human demonstration
- Microsoft has Python, Java support for its bot-building framework
Donate