Following the public disclosure of its LOSTKEYS malware in May 2025, the Russian state-sponsored threat group known as COLDRIVER, also tracked under aliases such as UNC4057, Star Blizzard, and Callisto, has rapidly evolved its cyber operations.
According to research from the Google Threat Intelligence Group (GTIG), the group abandoned LOSTKEYS just five days after its exposure and began deploying new malware strains that demonstrate a significant escalation in development speed and operational aggression.
COLDRIVER, a persistent threat group targeting high-profile individuals associated with NGOs, policy think tanks, and political dissidents, has shown adaptability and persistence in the face of increased scrutiny. GTIG reports that the group’s latest efforts involve a chain of related malware families, delivered via a mechanism mimicking a CAPTCHA prompt, an evolution of its earlier COLDCOPY lures.
NOROBOT and the Infection Chain
The main part of the campaign is NOROBOT, a malicious DLL file first distributed using a lure called “ClickFix.” This technique impersonates a CAPTCHA challenge, prompting users to verify that they are “not a robot”, hence the malware name. Once the user runs the file via rundll32, NOROBOT initiates a sequence that connects to a hardcoded command-and-control (C2) server to retrieve the next stage of the malware.
GTIG notes that NOROBOT has undergone continuous updates between May and September 2025. Initial versions were fetched and installed in a full Python 3.8 environment, which was then used to run a backdoor dubbed YESROBOT. This method left obvious traces, such as the Python installation, that could trigger alerts. As a result, COLDRIVER later replaced YESROBOT with a more streamlined and stealthier PowerShell-based backdoor: MAYBEROBOT.
NOROBOT’s earlier iterations relied on cryptographic obfuscation, splitting AES keys across various components. For instance, part of the key was stored in the Windows Registry, while the rest was embedded in downloaded Python scripts like libsystemhealthcheck.py. These files, hosted on domains such as inspectguarantee[.]org, were essential to decrypt and activate the final backdoor.
YESROBOT: A Short-Lived Backdoor
YESROBOT, a minimal Python backdoor, was observed only twice over a two-week window in late May 2025. Commands were AES-encrypted and issued over HTTPS, with system identifiers included in the User-Agent string. However, its limitations, such as the need for a full Python interpreter and lack of extensibility, led COLDRIVER to abandon it quickly.
GTIG believes YESROBOT served as a stopgap solution, hastily deployed after LOSTKEYS was exposed. The effort to maintain operational continuity suggests that COLDRIVER was under pressure to re-establish footholds on previously compromised systems.
MAYBEROBOT: COLDRIVER’s New Standard
In early June 2025, GTIG identified a simplified version of NOROBOT that bypassed the need for Python altogether. This new variant fetched a single PowerShell command, which established persistence via a logon script and delivered a heavily obfuscated script known as MAYBEROBOT (also referred to as SIMPLEFIX by Zscaler).
MAYBEROBOT supports three functions:
- Download and execute code from a specified URL.
- Run commands using cmd.exe.
- Execute PowerShell blocks.
It communicates with the C2 server using a custom protocol, sending acknowledgments and command outputs to predefined paths. Although minimal in built-in functionality, MAYBEROBOT’s architecture is more adaptable and stealthy compared to YESROBOT.
GTIG assesses that this evolution marks a deliberate shift by COLDRIVER toward a more flexible toolset that avoids detection by skipping Python installation and minimizing suspicious behavior.
COLDRIVER’s Continuous Malware Evolution
From June through September 2025, GTIG observed COLDRIVER continuously refining NOROBOT and its associated delivery chains. These changes include:
- Rotating file names and infrastructure.
- Modifying DLL export names and paths.
- Adjusting complexity to balance between stealth and operational control.
Interestingly, while NOROBOT has seen multiple iterations, MAYBEROBOT has remained largely unchanged, suggesting the group is confident in its current capabilities.
