editorially independent. We may make money when you click on links
to our partners.
Learn More
Google’s Threat Intelligence Group (GTIG) has identified a new wave of activity from the Russian state-sponsored hacking group COLDRIVER—also known as UNC4057, Star Blizzard, or Callisto—following the public disclosure of its LOSTKEYS malware in May 2025.
Within a few days of that exposure, the group shifted to deploying entirely new malware families, collectively referred to as the “ROBOT” series: NOROBOT, YESROBOT, and MAYBEROBOT.
GTIG’s findings indicate that COLDRIVER’s malware development tempo and operational aggressiveness have significantly increased compared to earlier campaigns.
The new infection chain begins with a malicious DLL named NOROBOT, delivered through an updated version of COLDRIVER’s ClickFix lure, previously used to distribute LOSTKEYS.
The new lure masquerades as a CAPTCHA verification page, tricking users into downloading and executing a DLL via the Windows rundll32 command.
The first file discovered was titled iamnotarobot.dll with an export called humanCheck.
NOROBOT operates as an initial-stage downloader that connects to hardcoded command-and-control (C2) servers to retrieve subsequent components of the malware chain.
Early versions of NOROBOT were complex, employing split cryptographic keys and multi-stage decryption to hide payloads.
However, this complexity proved counterproductive—GTIG observed a gradual simplification of NOROBOT’s structure to increase successful infections.
From YESROBOT to MAYBEROBOT
Initially, NOROBOT downloaded a Python-based backdoor known as YESROBOT, which relied on an embedded Python 3.8 interpreter to function.
YESROBOT communicated over HTTPS using AES-encrypted commands and required operators to issue Python code directly for execution.
While functional, this design was cumbersome and raised detection risks due to the full Python installation on victim systems.
Within a few weeks, COLDRIVER abandoned YESROBOT for a leaner and more flexible PowerShell backdoor dubbed MAYBEROBOT.
Unlike its predecessor, MAYBEROBOT required no external runtime and supported three primary operations: downloading and executing files, running system commands via cmd.exe, and executing PowerShell blocks.
Each command type triggered distinct communication paths with the C2 server for acknowledgments and data exfiltration.
GTIG researchers believe MAYBEROBOT was designed to be lightweight and extensible, enabling COLDRIVER to maintain long-term access to compromised systems while minimizing detection.
While the backdoor’s built-in capabilities remain minimal, its modular design allows operators to inject custom PowerShell commands to achieve various objectives, including data theft and persistence.
Continuous evolution of the infection chain
Between June and September 2025, GTIG tracked multiple NOROBOT variants as COLDRIVER iterated on the malware chain.
Early versions were streamlined for ease of execution, but later builds reintroduced complexity by reimplementing split cryptographic keys and intermediate downloaders.
These shifts appear to balance between operational efficiency and evasion of security detections.
Despite NOROBOT’s continuous changes, MAYBEROBOT’s codebase has remained stable—suggesting COLDRIVER considers it a reliable and low-detection final payload.
Researchers have also observed infrastructure rotation, varying DLL names and exports, and changing download paths to further obscure attribution.
GTIG concludes that COLDRIVER’s current focus lies in refining delivery mechanisms rather than redesigning payloads, enabling sustained intelligence collection against policy advisors, NGOs, and dissidents while evading traditional malware defenses.
Malware or phishing?
While COLDRIVER has historically favored phishing campaigns, the shift toward malware deployment suggests a strategic expansion of its intelligence collection methods.
GTIG hypothesizes that the group uses malware like NOROBOT and MAYBEROBOT to deepen access to high-value targets already compromised through phishing.
By infecting endpoints, COLDRIVER can harvest more sensitive intelligence—such as documents and communications not accessible through stolen email accounts alone.
Defensive strategies
Organizations can implement a combination of technical controls and user awareness programs to reduce the risk of infection:
- Block rundll32-based execution: Monitor and restrict rundll32.exe processes initiated by browsers or downloaded files, as this is a key component of COLDRIVER’s delivery chain.
- Restrict risky file types: Prevent users from downloading or executing suspicious DLLs or script files from unverified sources.
- Monitor PowerShell activity: Enable PowerShell script block logging and enforce constrained language mode to detect unauthorized execution.
- Harden persistence detection: Audit scheduled tasks and logon scripts for anomalies consistent with NOROBOT and MAYBEROBOT persistence methods.
- Enhance endpoint visibility: Deploy endpoint detection and response (EDR) tools capable of flagging unusual network connections to external C2 domains.
- User awareness training: Educate employees about fake CAPTCHA prompts and unexpected file download requests that mimic security or verification pages.
The road ahead
COLDRIVER’s rapid replacement of LOSTKEYS demonstrates how state-backed threat actors can quickly pivot after exposure, retooling within days to sustain espionage campaigns.
As the group’s ROBOT malware family continues to evolve, defenders must focus on layered detection, strong execution policies, and continuous user education to mitigate risks from similar state-sponsored operations.
