A brand new malware attributed to the Russia-linked hacking group often called COLDRIVER has undergone quite a few developmental iterations since Might 2025, suggesting an elevated “operations tempo” from the risk actor.
The findings come from Google Menace Intelligence Group (GTIG), which mentioned the state-sponsored hacking crew has quickly refined and retooled its malware arsenal merely 5 days following the publication of its LOSTKEYS malware across the identical time.
Whereas it is at present not identified for the way lengthy the brand new malware households have been beneath improvement, the tech big’s risk intelligence crew mentioned it has not noticed a single occasion of LOSTKEYS since disclosure.
The brand new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a set of associated malware households linked by way of a supply chain,” GTIG researcher Wesley Shields mentioned in a Monday evaluation.
The most recent assault waves are one thing of a departure from COLDRIVER’s typical modus operandi, which includes focusing on excessive profile people in NGOs, coverage advisors, and dissidents for credential theft. In distinction, the brand new exercise revolved round leveraging ClickFix-style lures to trick customers into operating malicious PowerShell instructions by way of the Home windows Run dialog as a part of a faux CAPTCHA verification immediate.
Whereas the assaults noticed in January, March, and April 2025 led to the deployment of an info stealing malware often called LOSTKEYS, subsequent intrusions have paved the best way for the “ROBOT” household of malware. It is value noting that the malware households NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz beneath the names BAITSWITCH and SIMPLEFIX, respectively.
The brand new an infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that is designed to drop a DLL referred to as NOROBOT, which is then executed by way of rundll32.exe to drop the next-stage malware. Preliminary variations of this assault is alleged to have distributed a Python backdoor often called YESROBOT, earlier than the risk actors change to a Powershell implant named MAYBEROBOT.
YESROBOT makes use of HTTPS to retrieve instructions from a hard-coded command-and-control (C2) server. A minimal backdoor, it helps the power to obtain and execute information, and retrieve paperwork of curiosity. Solely two situations of YESROBOT deployment have been noticed so far, particularly over a two week interval in late Might shortly after particulars of LOSTKEYS grew to become public data.
In distinction, MAYBEROBOT is assessed to be extra versatile and extensible, outfitted with options to obtain and run payload from a specified URL, run instructions utilizing cmd.exe, and run PowerShell code.
It is believed that the COLDRIVER actors rushed to deploy YESROBOT as a “stopgap mechanism” possible in response to public disclosure, earlier than abandoning it in favor of MAYBEROBOT, because the earliest model of NOROBOT additionally included a step to obtain a full Python 3.8 set up onto the compromised host — a “noisy” artifact that is sure to boost suspicion.
Google additionally identified that the usage of NOROBOT and MAYBEROBOT is probably going reserved for vital targets, who could have been already compromised by way of phishing, with the tip objective of gathering further intelligence from their gadgets.
“NOROBOT and its previous an infection chain have been topic to fixed evolution — initially simplified to extend probabilities of profitable deployment, earlier than re-introducing complexity by splitting cryptography keys,” Shields mentioned. “This fixed improvement highlights the group’s efforts to evade detection programs for his or her supply mechanism for continued intelligence assortment towards high-value targets.”
The disclosure comes because the Netherlands’ Public Prosecution Service, often called the Openbaar Ministerie (OM), introduced that three 17-year-old males have been suspected of offering providers to a overseas authorities, with one in all them alleged to keep in touch with a hacker group affiliated with the Russian authorities.
“This suspect additionally gave the opposite two directions to map Wi-Fi networks on a number of dates in The Hague,” OM mentioned. “The data collected has been shared with the shopper by the previous suspect for a payment and can be utilized for digital espionage and cyber assaults.”
Two of the suspects had been apprehended on September 22, 2025, whereas the third suspect, who was additionally interviewed by authorities, has been stored beneath home arrest due to his “restricted function” within the case.
“There aren’t any indications but that stress has been exerted on the suspect who was in touch with the hacker group affiliated with the Russian authorities,” the Dutch authorities physique added.
