TL;DR
Google's Threat Intelligence Group links a set of new malware families to Russian state-sponsored actor COLDRIVER after the public disclosure of LOSTKEYS. The actor shifted rapidly to a DLL downloader called NOROBOT that led to short-lived Python backdoors (YESROBOT) and a more flexible PowerShell backdoor (MAYBEROBOT).
What happened
After the May 2025 public disclosure of LOSTKEYS, COLDRIVER (also tracked as UNC4057 / Star Blizzard / Callisto) quickly changed tactics, deploying multiple new malware components within days. GTIG observed a delivery chain that begins with an updated COLDCOPY “ClickFix” lure presenting a CAPTCHA-like prompt that tricks users into launching a DLL with rundll32. The downloader, dubbed NOROBOT, has been iteratively developed from May through September 2025; early variants fetched a full Python 3.8 environment, split cryptographic keys across components (including a registry-stored fragment), and established persistence via a scheduled task. NOROBOT initially decrypted and ran a Python backdoor called YESROBOT, which accepted AES-encrypted commands as Python code but was difficult to extend and observed only briefly. By early June, operators had moved to a PowerShell-based backdoor GTIG calls MAYBEROBOT, delivered via a logon script and offering a simple custom protocol with three commands (download-and-run, run cmd.exe, run PowerShell). Across the period GTIG tracked ongoing simplification and re-complexification of the infection chain and rotation of infrastructure and file naming to avoid detection.
Why it matters
- A state-affiliated actor rapidly retooled after public exposure, indicating resilience and operational agility.
- The malware uses social-engineering lures that persuade users to execute a DLL via rundll32, bypassing older PowerShell-only stages.
- Transition from a Python backdoor to a PowerShell backdoor reduces reliance on noisy artifacts (full interpreter installs) and increases operator flexibility.
- Frequent changes to delivery chains, cryptography handling, and artifact naming complicate detection and tracking by defenders and researchers.
Key facts
- GTIG attributes the new malware families directly to COLDRIVER (also referred to as UNC4057, Star Blizzard, Callisto).
- GTIG observed no instances of LOSTKEYS after its public disclosure in May 2025.
- The initial downloader is a DLL named in lure pages with names like iamnotarobot.dll and an export labeled humanCheck, reflecting a CAPTCHA theme.
- NOROBOT variants were observed from May through September 2025 and fetched components from hardcoded C2 addresses.
- An early NOROBOT variant retrieved a Python 3.8 install, stored part of an AES key in the registry, and created persistence via a scheduled task named "System health check."
- YESROBOT was a Python backdoor that executed commands sent as AES-encrypted Python code over HTTPS; GTIG observed it only twice over a two-week period before it was abandoned.
- MAYBEROBOT is a heavily obfuscated PowerShell backdoor delivered via a logon script; it supports three commands: download-and-execute, run a cmd.exe command, and run a PowerShell block.
- COLDRIVER adjusted the downloader and delivery chain over time—simplifying deployment at points, then reintroducing complexity such as split cryptographic keys—to evade detection.
- Operators used rotating infrastructure, changing file names, DLL export names, and retrieval paths as basic evasion techniques.
What to watch next
- Phishing pages or downloads that present CAPTCHA-like prompts and attempt to get users to run rundll32 against DLLs (e.g., names like iamnotarobot.dll with exports such as humanCheck).
- NOROBOT-related indicators: attempts to fetch Python components, registry entries storing binary data under custom class extensions, and scheduled tasks named similarly to "System health check."
- Activity showing a shift from Python-based backdoors to obfuscated PowerShell backdoors that use custom three-command protocols and separate acknowledgement/output paths.
Quick glossary
- DLL (Dynamic Link Library): A shared library used by Windows programs. Malicious actors can craft DLLs that perform arbitrary actions when executed by standard OS utilities.
- rundll32: A Windows utility that loads and runs functions exported from DLLs; it is sometimes abused to execute malicious DLL code.
- Backdoor: Malware that provides persistent remote access to a compromised system, often allowing command execution, reconnaissance, and further payload delivery.
- Command-and-control (C2): Infrastructure and protocols used by attackers to send commands to and receive data from compromised hosts.
- Persistence: Techniques used by attackers to maintain access on a compromised system across reboots or user sessions, such as scheduled tasks or logon scripts.
Reader FAQ
Is LOSTKEYS still observed after its disclosure?
GTIG reported no observed instances of LOSTKEYS following its public disclosure in May 2025.
How did COLDRIVER deliver the new malware?
GTIG observed an updated COLDCOPY "ClickFix" lure that entices users with a CAPTCHA-like prompt to execute a DLL via rundll32, which then retrieves additional stages.
Was YESROBOT widely deployed?
No — YESROBOT was observed only twice over a two-week period and was soon replaced by the PowerShell backdoor MAYBEROBOT.
Are there confirmed victim identities or numbers?
not confirmed in the source
Does the report include recommended mitigations?
not confirmed in the source
Written by: Wesley Shields Introduction COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025…
Sources
- To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER
- Famous Chollima, COLDRIVER, Vidar Stealer 2.0
- COLDRIVER Adds BAITSWITCH and SIMPLEFIX
- Russian Hackers Pivot Fast With New “ROBOT” Malware …
Related posts
- Pro-Russia Influence Networks Exploit September Drone Incursion into Poland
- Vietnam-linked actors post fake job ads to deliver malware and hijack ad accounts
- Defending Privileged Accounts: Monitoring Strategies for Modern IT Environments