Oct 21, 2025Ravie LakshmananCyber Espionage / Menace Intelligence
A brand new malware attributed to the Russia-linked hacking group generally known as COLDRIVER has undergone quite a few developmental iterations since Might 2025, suggesting an elevated “operations tempo” from the risk actor.
The findings come from Google Menace Intelligence Group (GTIG), which mentioned the state-sponsored hacking crew has quickly refined and retooled its malware arsenal merely 5 days following the publication of its LOSTKEYS malware across the similar time.
Whereas it is presently not recognized for the way lengthy the brand new malware households have been beneath improvement, the tech large’s risk intelligence group mentioned it has not noticed a single occasion of LOSTKEYS since disclosure.
The brand new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a set of associated malware households linked by way of a supply chain,” GTIG researcher Wesley Shields mentioned in a Monday evaluation.
The most recent assault waves are one thing of a departure from COLDRIVER’s typical modus operandi, which entails concentrating on excessive profile people in NGOs, coverage advisors, and dissidents for credential theft. In distinction, the brand new exercise revolved round leveraging ClickFix-style lures to trick customers into operating malicious PowerShell instructions by way of the Home windows Run dialog as a part of a faux CAPTCHA verification immediate.
Whereas the assaults noticed in January, March, and April 2025 led to the deployment of an info stealing malware generally known as LOSTKEYS, subsequent intrusions have paved the way in which for the “ROBOT” household of malware. It is value noting that the malware households NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz beneath the names BAITSWITCH and SIMPLEFIX, respectively.
The brand new an infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that is designed to drop a DLL referred to as NOROBOT, which is then executed by way of rundll32.exe to drop the next-stage malware. Preliminary variations of this assault is claimed to have distributed a Python backdoor generally known as YESROBOT, earlier than the risk actors swap to a Powershell implant named MAYBEROBOT.
YESROBOT makes use of HTTPS to retrieve instructions from a hard-coded command-and-control (C2) server. A minimal backdoor, it helps the power to obtain and execute recordsdata, and retrieve paperwork of curiosity. Solely two cases of YESROBOT deployment have been noticed up to now, particularly over a two week interval in late Might shortly after particulars of LOSTKEYS turned public data.
In distinction, MAYBEROBOT is assessed to be extra versatile and extensible, geared up with options to obtain and run payload from a specified URL, run instructions utilizing cmd.exe, and run PowerShell code.
It is believed that the COLDRIVER actors rushed to deploy YESROBOT as a “stopgap mechanism” doubtless in response to public disclosure, earlier than abandoning it in favor of MAYBEROBOT, because the earliest model of NOROBOT additionally included a step to obtain a full Python 3.8 set up onto the compromised host — a “noisy” artifact that is certain to lift suspicion.
Google additionally identified that using NOROBOT and MAYBEROBOT is probably going reserved for vital targets, who might have been already compromised by way of phishing, with the top purpose of gathering extra intelligence from their gadgets.
“NOROBOT and its previous an infection chain have been topic to fixed evolution — initially simplified to extend probabilities of profitable deployment, earlier than re-introducing complexity by splitting cryptography keys,” Shields mentioned. “This fixed improvement highlights the group’s efforts to evade detection methods for his or her supply mechanism for continued intelligence assortment towards high-value targets.”
The disclosure comes because the Netherlands’ Public Prosecution Service, generally known as the Openbaar Ministerie (OM), introduced that three 17-year-old males have been suspected of offering companies to a international authorities, with one in every of them alleged to keep in touch with a hacker group affiliated with the Russian authorities.
“This suspect additionally gave the opposite two directions to map Wi-Fi networks on a number of dates in The Hague,” OM mentioned. “The data collected has been shared with the shopper by the previous suspect for a price and can be utilized for digital espionage and cyber assaults.”
Two of the suspects had been apprehended on September 22, 2025, whereas the third suspect, who was additionally interviewed by authorities, has been saved beneath home arrest due to his “restricted function” within the case.
“There aren’t any indications but that strain has been exerted on the suspect who was involved with the hacker group affiliated with the Russian authorities,” the Dutch authorities physique added.
