{"id":3310,"date":"2025-10-21T12:01:43","date_gmt":"2025-10-21T12:01:43","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/21\/russian-coldriver-hackers-deploy-new-norobot-malware\/"},"modified":"2025-10-21T12:01:43","modified_gmt":"2025-10-21T12:01:43","slug":"russian-coldriver-hackers-deploy-new-norobot-malware","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/21\/russian-coldriver-hackers-deploy-new-norobot-malware\/","title":{"rendered":"Russian Coldriver Hackers Deploy New ‘NoRobot’ Malware"},"content":{"rendered":"
\n
\n

The Russian-affiliated hacking group Coldriver has been observed deploying a new malware set, according to researchers at the Google Threat Intelligence Group (GTIG).<\/p>\n

This malware set, made of several families connected via a delivery chain, seems to have replaced Coldriver\u2019s previous primary malware LostKeys since it was publicly disclosed in May 2025, said a GTIG report published on October 20.<\/p>\n

The researchers noted that the new set was used more aggressively than any other previous malware campaigns ever attributed to the group.<\/p>\n

This indicates a rapidly increased development and operations tempo from Coldriver, according to GTIG.<\/p>\n

Coldriver\u2019s Previous Campaigns<\/strong><\/h2>\n

Coldriver, also known as Star Blizzard, Callisto and UNC4057, is a threat group with attributed links to Russia\u2019s intelligence service, the FSB.<\/p>\n

Active since at least 2017, the group is known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers and NATO governments for espionage purposes.<\/p>\n

In December 2023, the UK\u2019s National Cyber Security Centre (NCSC) said the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.<\/p>\n

In January 2024, Google observed the group going beyond phishing for credentials to delivering malware capable of exfiltrating sensitive information from the target.<\/p>\n

In May 2025, GTIG detected that Coldriver had used a new malware strain, called LostKeys, in malicious campaigns between January and March of the same year.<\/p>\n

This new strain has not been observed since the publication of the disclosure, GTIG said in its new October 20 report.<\/p>\n

Inside Coldriver\u2019s NoRobot, YesRobot and MaybeRobot<\/strong><\/h2>\n

Instead, Coldriver seemed to have shifted to a new set of malware families tracked by Google as NoRobot, YesRobot and MaybeRobot.<\/p>\n

The attack starts with a \u2018ClickFix-style\u2019 phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they\u2019re “not a robot.” This lure is tracked by Google as ColdCopy.<\/p>\n

The page prompts the user to download and run a malicious dynamic-link library (DLL) \u2013 tracked as NoRobot \u2013 via rundll32.exe, a legitimate Windows tool. The DLL\u2019s export function (humanCheck<\/em>) is named to reinforce the CAPTCHA deception.<\/p>\n

This replaces older methods that relied on PowerShell, making it harder for security tools that monitor script-based execution to detect the attack.<\/p>\n

Once executed, the NoRobot DLL acts as a downloader. Early versions used a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry (e.g. under HKEY_CURRENT_USERSOFTWAREClasses.pietas). This makes analysis more difficult because missing any component would break the decryption.<\/p>\n

NoRobot then fetches a self-extracting Python 3.8 installer, two encrypted Python scripts (libsystemhealthcheck.py<\/em> and libcryptopydatasize.py<\/em>) from a malicious domain (inspectguarantee[.]org<\/em>) and a scheduled task to ensure the malware survived reboots.<\/p>\n

The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server over HTTPS, tracked as YesRobot.<\/p>\n

GTIG noted that Coldriver abandoned YesRobot after just two weeks, likely because it was too cumbersome and easy to detect \u2013 notably because of the Python installation.<\/p>\n

The researchers suggested that YesRobot served as a temporary stopgap after the group\u2019s previous malware, LostKeys, was exposed.<\/p>\n

Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor, with no Python script needed.<\/p>\n

In this new version, NoRobot was simplified to fetch a single logon script that persisted MaybeRobot via a PowerShell command added to the user\u2019s login script.<\/p>\n

MaybeRobot uses a custom C2 protocol with three core commands:<\/p>\n

    \n
  1. Download and execute a file from a URL<\/li>\n
  2. Run a command via cmd.exe<\/li>\n
  3. Execute a PowerShell block<\/li>\n<\/ol>\n

    Unlike YesRobot, MaybeRobot\u2019s design is extensible, meaning operators can send complex commands dynamically, but the backdoor itself still lacks built-in features, such as automatic data exfiltration.<\/p>\n<\/p><\/div>\n

    \"Malware
    Malware development overview. Source: Google Threat Intelligence Group<\/figcaption><\/figure>\n
    \n

    Coldriver Alternates Noisy and Stealthy NoRobot Infection Chains<\/strong><\/h2>\n

    Between June and September 2025, Coldriver evolved NoRobot, alternating between simplified and complex infection chains to hinder analysis while ensuring reliable delivery of its MaybeRobot PowerShell backdoor.<\/p>\n

    Minor but frequent changes, such as rotating infrastructure, filenames, and export functions, demonstrate Coldriver\u2019s adaptive tradecraft, forcing defenders to capture multiple components to fully reconstruct attacks.<\/p>\n

    The GTIG report builds on a September Zscaler report, in which NoRobot is tracked as BaitSwitch and MaybeRobot as SimpleFix.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

    The Russian-affiliated hacking group Coldriver has been observed deploying a new malware set, according to researchers at the Google Threat Intelligence Group (GTIG). This malware set, made of several families connected via a delivery chain, seems to have replaced Coldriver\u2019s previous primary malware LostKeys since it was publicly disclosed in May 2025, said a GTIG<\/p>\n","protected":false},"author":2,"featured_media":3311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3310","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3310-822989b4-be6b-4c6b-a752-805442385184-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3310"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3310\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3311"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3310"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}