A brand new malware attributed to the Russia-linked hacking group generally known as COLDRIVER has undergone quite a few developmental iterations since Might 2025, suggesting an elevated “operations tempo” from the risk actor.
The findings come from Google Risk Intelligence Group (GTIG), which stated the state-sponsored hacking crew has quickly refined and retooled its malware arsenal merely 5 days following the publication of its LOSTKEYS malware across the identical time.
Whereas it is at the moment not identified for the way lengthy the brand new malware households have been beneath improvement, the tech large’s risk intelligence workforce stated it has not noticed a single occasion of LOSTKEYS since disclosure.
The brand new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a group of associated malware households linked by way of a supply chain,” GTIG researcher Wesley Shields stated in a Monday evaluation.
The most recent assault waves are one thing of a departure from COLDRIVER’s typical modus operandi, which includes focusing on excessive profile people in NGOs, coverage advisors, and dissidents for credential theft. In distinction, the brand new exercise revolves round leveraging ClickFix-style lures to trick customers into working malicious PowerShell instructions by way of the Home windows Run dialog as a part of a faux CAPTCHA verification immediate.
Whereas the assaults noticed in January, March, and April 2025 led to the deployment of an data stealing malware generally known as LOSTKEYS, subsequent intrusions have paved the way in which for the “ROBOT” household of malware. It is value noting that the malware households NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz beneath the names BAITSWITCH and SIMPLEFIX, respectively.
The brand new an infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that is designed to drop a DLL referred to as NOROBOT, which is then executed by way of rundll32.exe to drop the next-stage malware. Preliminary variations of this assault is claimed to have distributed a Python backdoor generally known as YESROBOT, earlier than the risk actors change to a Powershell implant named MAYBEROBOT.
YESROBOT makes use of HTTPS to retrieve instructions from a hard-coded command-and-control (C2) server. A minimal backdoor, it helps the power to obtain and execute recordsdata, and retrieve paperwork of curiosity. Solely two situations of YESROBOT deployment have been noticed thus far, particularly over a two week interval in late Might shortly after particulars of LOSTKEYS turned public data.
In distinction, MAYBEROBOT is assessed to be extra versatile and extensible, outfitted with options to obtain and run payload from a specified URL, run instructions utilizing cmd.exe, and run PowerShell code.
It is believed that the COLDRIVER actors rushed to deploy YESROBOT as a “stopgap mechanism” doubtless in response to public disclosure, earlier than abandoning it in favor of MAYBEROBOT, because the earliest model of NOROBOT additionally included a step to obtain a full Python 3.8 set up onto the compromised host — a “noisy” artifact that is sure to boost suspicion.
Google additionally identified that the usage of NOROBOT and MAYBEROBOT is probably going reserved for important targets, who could have been already compromised by way of phishing, with the top purpose of gathering further intelligence from their gadgets.
“NOROBOT and its previous an infection chain have been topic to fixed evolution — initially simplified to extend possibilities of profitable deployment, earlier than re-introducing complexity by splitting cryptography keys,” Shields stated. “This fixed improvement highlights the group’s efforts to evade detection methods for his or her supply mechanism for continued intelligence assortment towards high-value targets.”
The disclosure comes because the Netherlands’ Public Prosecution Service, generally known as the Openbaar Ministerie (OM), introduced that three 17-year-old males have been suspected of offering providers to a overseas authorities, with one in all them alleged to keep in touch with a hacker group affiliated with the Russian authorities.
“This suspect additionally gave the opposite two directions to map Wi-Fi networks on a number of dates in The Hague,” OM said. “The data collected has been shared with the shopper by the previous suspect for a price and can be utilized for digital espionage and cyber assaults.”
Two of the suspects have been apprehended on September 22, 2025, whereas the third suspect, who was additionally interviewed by authorities, has been saved beneath home arrest due to his “restricted position” within the case.
“There are not any indications but that strain has been exerted on the suspect who was in touch with the hacker group affiliated with the Russian authorities,” the Dutch authorities physique added.
