Russian Coldriver Hackers Deploy New 'NoRobot' Malware
Researchers at the Google Threat Intelligence Group (GTIG) have observed a new malware set being deployed by the Russian-affiliated hacking group Coldriver, marking a significant shift in the group's tactics, techniques, and procedures (TTPs). The new malware set, known as NoRobot, YesRobot, and MaybeRobot, appears to have replaced Coldriver's previous primary malware, LostKeys, since its public disclosure in May 2025.
Coldriver, also known as Star Blizzard, Callisto, and UNC4057, is a threat group with attributed links to Russia's intelligence service, the FSB. Active since at least 2017, the group has been focused on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers, and NATO governments for espionage purposes.
According to GTIG, Coldriver's new NoRobot malware set was used more aggressively than any other previous malware campaign attributed to the group. This indicates a rapidly increased development and operations tempo from Coldriver, suggesting that the group is adapting to changing security measures.
The NoRobot Malware: A Deceptive Phishing Lure
The NoRobot malware set begins with a 'ClickFix-style' phishing lure, designed to trick victims into thinking they must verify they're not a robot. This lure is tracked by Google as ColdCopy and prompts users to download and run a malicious dynamic-link library (DLL) via rundll32.exe, a legitimate Windows tool.
The DLL's export function, named humanCheck, reinforces the CAPTCHA deception, making it harder for security tools that monitor script-based execution to detect the attack. Once executed, the NoRobot DLL acts as a downloader, fetching a self-extracting Python 3.8 installer and two encrypted Python scripts from a malicious domain.
The YesRobot Backdoor: A Temporary Stopgap
Early versions of NoRobot used a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry. This makes analysis more difficult because missing any component would break the decryption.
NoRobot then fetches a scheduled task to ensure the malware survived reboots. The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server over HTTPS, tracked as YesRobot.
The Evolution of MaybeRobot
GTIG noted that Coldriver abandoned YesRobot after just two weeks, likely because it was too cumbersome and easy to detect. The researchers suggested that YesRobot served as a temporary stopgap after the group's previous malware, LostKeys, was exposed.
Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor with no Python script needed. Unlike YesRobot, MaybeRobot's design is extensible, meaning operators can send complex commands dynamically.
Coldriver's Adaptive Tradecraft
Between June and September 2025, Coldriver evolved NoRobot, alternating between simplified and complex infection chains to hinder analysis while ensuring reliable delivery of its MaybeRobot PowerShell backdoor.
Minor but frequent changes, such as rotating infrastructure, filenames, and export functions, demonstrate Coldriver's adaptive tradecraft, forcing defenders to capture multiple components to fully reconstruct attacks.
A New Normal for Coldriver?
The GTIG report builds on a September Zscaler report, in which NoRobot is tracked as BaitSwitch and MaybeRobot as SimpleFix. This marks a new chapter in Coldriver's malware evolution, with the group seemingly embracing more adaptive and evasive tactics.