Ransomware, Threat Intelligence, Malware

Russia-backed COLDRIVER abandons stealer malware for NOROBOT backdoors

Google Threat Intelligence Group (GTIG) reported that the Russia-sponsored threat group COLDRIVER is using two new backdoors tracked as YESROBOT and MAYBEROBOT, which are spread using ClickFix and a loader called NOROBOT.

COLDRIVER, which targets high-profile targets, including NATO member governments, policy advisors, former intelligence officers and non-governmental organizations (NGOs), previously conducted credential phishing attacks without the deployment of malware.

However, GTIG reported in May 2025 that the group began wielding a novel credential stealing malware dubbed LOSTKEYS.

In its latest report published Monday, GTIG said COLDRIVER seems to have abandoned LOSTKEYS following its May exposure and has rapidly developed new malware that serve as backdoors to execute commands and exfiltrate information.

Similar to its LOSTKEYS campaign, COLDRIVER uses ClickFix to deploy a loader tracked as NOROBOT. While both campaigns use a fake CAPTCHA, the newer attacks convince the user to execute NOROBOT DLL via rundll32 rather than using PowerShell commands.  

NOROBOT initially dropped a Python backdoor dubbed YESROBOT, which was observed in at least two attacks in late May 2025. The key needed to decrypt the YESROBOT payload was split across multiple components and required reassembly before execution, an anti-analysis measures.

However, the backdoor was described as “cumbersome” by the Google researchers, as it requires a full Python 3.8 installation and for all commands to be valid Python, increasing the chance of detection and reducing extensibility.

In early June 2025, COLDRIVER shifted tactics again, using a simpler and more flexible PowerShell backdoor labeled MAYBEROBOT. This version supports three commands: downloading and executing content form a hardcoded command-and-control (C2) server, executing commands with cmd.exe and executing PowerShell blocks.

The group continued to use and evolve NOROBOT and MAYBEROBOT throughout June to September 2025, regularly rotating infrastructure and file names and transferring the same split cryptography tactic used with YESROBOT to its MAYBEROBOT deployments.

GTIG noted the use of these backdoors was previously reported by Zscaler, which tracks YESROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX.

In response to COLDRIVER’s changing tactics, Google has incorporated the latest intelligence into its products, such as the Safe Browsing feature in Chrome. It also published indicators of compromise (IoCs) and YARA rules in its report.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

CorruptionCovert ChannelsDarknetData MiningDeauthentication AttackDictionary AttackDistributed ScansGoogle HackingHybrid AttackMorris Worm

You can skip this ad in 5 seconds