Russian Coldriver Hackers Deploy New ‘NoRobot’ Malware – Against Invaders – Notícias de CyberSecurity para humanos.

Russian Coldriver Hackers Deploy New ‘NoRobot’ Malware - Against Invaders - Notícias de CyberSecurity para humanos.

The Russian-affiliated hacking group Coldriver has been observed deploying a new malware set, according to researchers at the Google Threat Intelligence Group (GTIG).

This malware set, made of several families connected via a delivery chain, seems to have replaced Coldriver’s previous primary malware LostKeys since it was publicly disclosed in May 2025, said a GTIG report published on October 20.

The researchers noted that the new set was used more aggressively than any other previous malware campaigns ever attributed to the group.

This indicates a rapidly increased development and operations tempo from Coldriver, according to GTIG.

Coldriver’s Previous Campaigns

Coldriver, also known as Star Blizzard, Callisto and UNC4057, is a threat group with attributed links to Russia’s intelligence service, the FSB.

Active since at least 2017, the group is known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers and NATO governments for espionage purposes.

In December 2023, the UK’s National Cyber Security Centre (NCSC) said the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.

In January 2024, Google observed the group going beyond phishing for credentials to delivering malware capable of exfiltrating sensitive information from the target.

In May 2025, GTIG detected that Coldriver had used a new malware strain, called LostKeys, in malicious campaigns between January and March of the same year.

This new strain has not been observed since the publication of the disclosure, GTIG said in its new October 20 report.

Inside Coldriver’s NoRobot, YesRobot and MaybeRobot

Instead, Coldriver seemed to have shifted to a new set of malware families tracked by Google as NoRobot, YesRobot and MaybeRobot.

The attack starts with a ‘ClickFix-style’ phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re “not a robot.” This lure is tracked by Google as ColdCopy.

The page prompts the user to download and run a malicious dynamic-link library (DLL) – tracked as NoRobot – via rundll32.exe, a legitimate Windows tool. The DLL’s export function (humanCheck) is named to reinforce the CAPTCHA deception.

This replaces older methods that relied on PowerShell, making it harder for security tools that monitor script-based execution to detect the attack.

Once executed, the NoRobot DLL acts as a downloader. Early versions used a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry (e.g. under HKEY_CURRENT_USERSOFTWAREClasses.pietas). This makes analysis more difficult because missing any component would break the decryption.

NoRobot then fetches a self-extracting Python 3.8 installer, two encrypted Python scripts (libsystemhealthcheck.py and libcryptopydatasize.py) from a malicious domain (inspectguarantee[.]org) and a scheduled task to ensure the malware survived reboots.

The Python scripts are combined to decrypt and launch a minimal Python-based first-stage backdoor that communicates with a hardcoded command-and-control (C2) server over HTTPS, tracked as YesRobot.

GTIG noted that Coldriver abandoned YesRobot after just two weeks, likely because it was too cumbersome and easy to detect – notably because of the Python installation.

The researchers suggested that YesRobot served as a temporary stopgap after the group’s previous malware, LostKeys, was exposed.

Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor, with no Python script needed.

In this new version, NoRobot was simplified to fetch a single logon script that persisted MaybeRobot via a PowerShell command added to the user’s login script.

MaybeRobot uses a custom C2 protocol with three core commands:

  1. Download and execute a file from a URL
  2. Run a command via cmd.exe
  3. Execute a PowerShell block

Unlike YesRobot, MaybeRobot’s design is extensible, meaning operators can send complex commands dynamically, but the backdoor itself still lacks built-in features, such as automatic data exfiltration.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.