A new malware family linked to the Russia-associated group COLDRIVER shows rapid development and deployment, targeting high-value individuals for cyber espionage. Google Threat Intelligence highlights a shift from credential theft to sophisticated malware delivery using ClickFix lures and PowerShell commands. #COLDRIVER #NOROBOT #YESROBOT #MAYBEROBOT
Keypoints
- COLDRIVER has introduced new malware families NOROBOT, YESROBOT, and MAYBEROBOT with rapid development since May 2025.
- The malware chain begins with a ClickFix HTML lure called COLDCOPY to drop and execute malicious DLLs.
- Initial attacks deployed YESROBOT, a Python backdoor, which was quickly replaced by a more flexible PowerShell malware, MAYBEROBOT.
- The new malware targets high-profile individuals for intelligence gathering and evades detection through evolving cryptographic techniques.
- Recent arrests in the Netherlands suggest foreign government-linked hackers may be collaborating with criminal elements for cyber espionage activities.
Read More: https://thehackernews.com/2025/10/google-identifies-three-new-russian.html