Russian Hackers Deploy New Malware Suite
The Russian-affiliated hacking collective Coldriver has been observed deploying a sophisticated new malware set, according to researchers at the Google Threat Intelligence Group. The report states this new malware family, tracked as NoRobot, appears to have replaced the group’s previous primary malware LostKeys since it was publicly disclosed in May 2025.
Table of Contents
Analysts suggest the new malware was used more aggressively than any previous campaigns attributed to the group, indicating a rapidly increased development and operations tempo from Coldriver. The hacking group, also known as Star Blizzard, Callisto and UNC4057, has attributed links to Russia’s intelligence service, the FSB.
Evolution of Coldriver’s Tactics
Active since at least 2017, sources indicate the group has historically focused on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers, and NATO governments for espionage purposes. In December 2023, the UK’s National Cyber Security Centre stated the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes., according to recent innovations
The researchers noted that by January 2024, Google had observed the group expanding beyond credential phishing to delivering malware capable of exfiltrating sensitive information from targets. This evolution continued with the LostKeys malware detected in campaigns between January and March 2025, which has not been observed since its public disclosure., according to market trends
Sophisticated Attack Chain
According to the report, Coldriver has shifted to a new set of malware families tracked as NoRobot, YesRobot and MaybeRobot. The attack begins with a ‘ClickFix-style’ phishing lure tracked as ColdCopy – a fake CAPTCHA page designed to trick victims into thinking they must verify they’re “not a robot.”
The page prompts users to download and run a malicious dynamic-link library (DLL) tracked as NoRobot via rundll32.exe, a legitimate Windows tool. The report states the DLL’s export function (humanCheck) is specifically named to reinforce the CAPTCHA deception, replacing older methods that relied on PowerShell to evade security tools monitoring script-based execution.
Technical Sophistication and Adaptation
Once executed, the NoRobot DLL acts as a downloader. Early versions used a sophisticated split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. Analysts suggest this makes analysis more difficult because missing any component would break the decryption process.
NoRobot then fetches a self-extracting Python 3.8 installer, two encrypted Python scripts, and a scheduled task to ensure the malware survives reboots. The Python scripts combine to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control server over HTTPS, tracked as YesRobot., according to market analysis
Rapid Malware Evolution
The Google researchers noted that Coldriver abandoned YesRobot after just two weeks, likely because it was too cumbersome and easy to detect due to the Python installation. Sources indicate YesRobot served as a temporary stopgap after the group’s previous LostKeys malware was exposed.
Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor requiring no Python script. In this refined version, NoRobot was simplified to fetch a single logon script that persisted MaybeRobot via a PowerShell command added to the user’s login script.
MaybeRobot uses a custom C2 protocol with three core commands and features an extensible design, meaning operators can send complex commands dynamically. However, analysts note the backdoor still lacks built-in features such as automatic data exfiltration, suggesting the group continues to refine their tools despite the increased operational tempo.
The UK’s National Cyber Security Centre has previously warned about Coldriver’s activities targeting democratic processes, making this new malware development particularly concerning for security professionals worldwide.
Related Articles You May Find Interesting
- European Cybersecurity Strategy Shifts Toward Comprehensive Zero Trust Implement
- Labour’s £6bn Red Tape Reduction Plan Meets Conservative Skepticism Amid Economi
- Beyond the Headlines: How Novo Nordisk’s Market Woes Mask Denmark’s Economic Res
- Why Wall Street’s Premium Priced Banks Are Losing Analyst Favor to European Barg
- Hostelworld’s $12M Strategic Acquisition to Revolutionize Social Travel Experien
References & Further Reading
This article draws from multiple authoritative sources. For more information, please consult:
- http://en.wikipedia.org/wiki/Phishing
- http://en.wikipedia.org/wiki/Malware
- http://en.wikipedia.org/wiki/Google
- http://en.wikipedia.org/wiki/National_Cyber_Security_Centre_(United_Kingdom)
- http://en.wikipedia.org/wiki/Dynamic-link_library
This article aggregates information from publicly available sources. All trademarks and copyrights belong to their respective owners.
Note: Featured image is for illustrative purposes only and does not represent any specific product, service, or entity mentioned in this article.
