Pierluigi Paganini
October 22, 2025
The Russia-linked hacking group COLDRIVER has been quickly upgrading its malware since May 2025, when its LOSTKEYS malware was exposed. According to Google’s Threat Intelligence Group, the hackers have been rolling out frequent updates and improvements.
The ColdRiver APT (aka “Seaborgium“, “UNC4057”, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.
According to Google Threat Intelligence Group (GTIG), the group’s new tools have evolved rapidly, showing an accelerated pace of development and aggressive operations.
The Russia-linked APT began retooling its operations with a new malicious DLL named NOROBOT, delivered through an updated COLDCOPY “ClickFix” lure disguised as a CAPTCHA. Unlike older PowerShell-based infections, this version tricks users into launching the malware via rundll32.
The first NOROBOT version dropped a Python backdoor called YESROBOT, but the group soon replaced it with a more flexible PowerShell variant named MAYBEROBOT.
Since then, COLDRIVER has constantly refined NOROBOT, simplifying the chain to improve success, then reintroducing complexity with split encryption keys to make detection harder. These changes show the group’s determination to stay hidden and maintain access to high-value intelligence targets.
COLDRIVER shifted to a “ClickFix” lure that tricks users into running a DLL via rundll32. The initial DLL, NOROBOT (iamnotarobot.dll), reached out to hardcoded C2 servers, prepared the host and fetched next-stage components. Early NOROBOT versions split cryptographic keys across downloaded pieces and extracted a noisy Python 3.8 runtime, stored key parts in the registry, and created persistence via a scheduled task that launched a Python script. That chain decrypted and launched a Python backdoor named YESROBOT, which accepted only Python code as commands and proved cumbersome and short-lived.
Starting in June, operators replaced YESROBOT with MAYBEROBOT and simplified NOROBOT to fetch a single logon-script payload that installed a heavily obfuscated PowerShell backdoor. MAYBEROBOT implements a compact custom protocol supporting three commands (download-and-execute, run a cmd.exe command, or run a PowerShell block) and sends acknowledgements and outputs to separate C2 paths. Compared to YESROBOT, MAYBEROBOT doesn’t require Python, is easier to operate, and offers greater extensibility, while NOROBOT continues evolving to balance stealth and deployability.
“As MAYBEROBOT became the more commonly observed final backdoor in these operations, the NOROBOT infection chain to get there continued evolving.” states GTIG’s report. “Over the course of this period of time, COLDRIVER simplified their malware infection chain and implemented basic evasion techniques, such as rotating infrastructure and file naming conventions, paths where files were retrieved from, how those paths were constructed, changing the export name and changing the DLL name.”
From June to September 2025, GTIG observed COLDRIVER intensifying the development of its NOROBOT malware. Simplified versions made tracking easier, while later variants reintroduced cryptographic keys and multi-stage download steps to hinder analysis.
COLDRIVER phased out the Python-based YESROBOT backdoor, which was prone to detection and limited in functionality, replacing it with the leaner, more flexible MAYBEROBOT. NOROBOT’s delivery chain evolved with rotated infrastructure, changed file names, DLL names, and export names, while MAYBEROBOT remained stable, reflecting the group’s focus on concealing delivery mechanisms while relying on a trusted payload.
Overall, the campaign demonstrates COLDRIVER’s strategy of continuously refining malware delivery, evading detection, and ensuring persistent intelligence collection against high-value targets.
“It is currently not known why COLDRIVER chooses to deploy malware over the more traditional phishing they are known for, but it is clear that they have spent significant development effort to re-tool and deploy their malware to specific targets. One hypothesis is that COLDRIVER attempts to deploy NOROBOT and MAYBEROBOT on significant targets which they may have previously compromised via phishing and already stolen emails and contacts from, and are now looking to acquire additional intelligence value from information on their devices directly.” concludes the report.
“As COLDRIVER continues to develop and deploy this chain we believe that they will continue their aggressive deployment against high-value targets to achieve their intelligence collection requirements.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, COLDRIVER)
