Threat Research

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

GoogleCloudIntel
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

COLDRIVER rapidly replaced its publicly disclosed LOSTKEYS toolset with a new, evolving family of malware—NOROBOT (DLL downloader), YESROBOT (Python backdoor), and MAYBEROBOT (PowerShell backdoor)—delivered via an updated COLDCOPY “ClickFix” lure that tricks users into running a DLL with rundll32. Google Threat Intelligence observed multiple NOROBOT variants, infrastructure rotation, and operational changes aimed at evasion while MAYBEROBOT became the preferred, more extensible final backdoor. #NOROBOT #MAYBEROBOT

Keypoints

  • COLDRIVER (aka UNC4057/Star Blizzard/Callisto) shifted from LOSTKEYS to new malware families within five days of LOSTKEYS disclosure, increasing development and operations tempo.
  • NOROBOT is a malicious DLL downloader delivered via a COLDCOPY “ClickFix” lure that uses rundll32 and CAPTCHA-themed names like iamnotarobot.dll and humanCheck.
  • Early NOROBOT used split cryptographic keys and fetched a full Python 3.8 installation and multiple components (e.g., libsystemhealthcheck.py, libcryptopydatasize.py) to reconstruct the final payload.
  • YESROBOT is a minimal Python backdoor retrieved and executed by NOROBOT; it executes commands as Python code and was quickly abandoned due to limited extensibility and reliance on Python.
  • MAYBEROBOT (PowerShell backdoor) replaced YESROBOT in June 2025, offering a lightweight, extensible custom-protocol backdoor that does not require Python and supports download/execute, cmd execution, and PowerShell execution.
  • COLDRIVER continuously modified NOROBOT variants, delivery paths, filenames, exports, and infrastructure to evade detection, sometimes simplifying the chain (making tracking easier) and later reintroducing complexity.
  • Google added malicious sites and files to Safe Browsing, issued targeted alerts to potential victims, and published IOCs and YARA rules to help defenders detect the campaign.

MITRE Techniques

  • [T1036 ] Masquerading – NOROBOT and the COLDCOPY lure disguise the DLL and page as a CAPTCHA to trick users into executing rundll32, described as “pretends to be a custom CAPTCHA” and using names like “iamnotarobot.dll” and export “humanCheck”.
  • [T1204.002 ] User Execution: Malicious File – The COLDCOPY “ClickFix” lure coerces users to download and run a DLL via rundll32 (“tries to get the user to download and execute a DLL using rundll32”).
  • [T1041 ] Exfiltration Over C2 Channel / Command and Control – YESROBOT and MAYBEROBOT communicate with hardcoded C2 servers to receive commands and send output (“uses HTTPS to retrieve commands from a hardcoded C2” and “uses a hardcoded C2 and a custom protocol”).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – MAYBEROBOT is a heavily obfuscated PowerShell backdoor executed from a logon script and supports executing PowerShell blocks (“logon script was a Powershell command which downloaded and executed the next stage… heavily obfuscated Powershell script”).
  • [T1059.006 ] Command and Scripting Interpreter: Python – YESROBOT is a Python backdoor that executes Python commands supplied by the operator (“minimal backdoor that requires all commands to be valid Python”).
  • [T1113 ] Screen Capture / Credential Harvesting via Persistence Mechanisms – NOROBOT establishes persistence via scheduled tasks and logon scripts to maintain access (“Persistence via scheduled task” and “sets up a logon script for persistence”).
  • [T1105 ] Ingress Tool Transfer – NOROBOT downloads components (Python installer, libsystemhealthcheck.py, libcryptopydatasize.py) and later payloads from attacker-controlled domains (“fetching and extracting a full Python 3.8 installation” and files retrieved using bitsadmin from inspectguarantee[.]org).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Scheduled Task – NOROBOT and the installation use scheduled tasks and registry entries to persist (“reg add … HKEY_CURRENT_USERSOFTWAREClasses.pietas” and scheduled task creation for System health check).

Indicators of Compromise

  • [Domain ] COLDCOPY delivery and NOROBOT hosting – inspectguarantee[.]org, captchanom[.]top
  • [Domain ] COLDCOPY lure infrastructure – viewerdoconline[.]com, documentsec[.]com (and multiple related COLDCOPY domains such as documentsec[.]online and onstorageline[.]com)
  • [File hash ] NOROBOT samples – 2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee (iamnotarobot.dll), 3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1 (checkme.dll)
  • [File hash ] Backdoor and PowerShell artifacts – bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f (YESROBOT), b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9 (obfuscated MAYBEROBOT)
  • [IP address ] YESROBOT C2 – 85.239.52[.]32 (associated with system-healthadv[.]com)
  • [File name / Paths ] Dropped files and scripts – libsystemhealthcheck.py, libcryptopydatasize.py, iamnotarobot.dll (and references to Python38-64 installation and scheduled task “System health check”)

Read more: https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint