Russian state-sponsored threat actor COLDRIVER, long known for targeting high-profile NGOs, policy advisors, and dissidents, has been linked to a rapidly evolving malware campaign following the public disclosure of its LOSTKEYS malware in May 2025.
After details of LOSTKEYS surfaced, COLDRIVER (also tracked as UNC4057, Star Blizzard, and Callisto) pivoted away from the compromised malware.
GTIG researchers have not observed a single instance of LOSTKEYS post-disclosure—a testament to the group’s agility.
Within just five days of this exposure, COLDRIVER operationalized new malware families, shifting tactics and tools at an unprecedented pace, according to recent reported from GTIG and supporting analysis from Zscaler.
Instead, COLDRIVER began deploying a diverse toolset, featuring interconnected malware families that have already undergone several development iterations.
This relentless pace highlights the group’s dedication to maintaining access to target environments and evading defensive measures.
At the center of this re-tooled arsenal is a malicious DLL named NOROBOT. Delivered through an updated “ClickFix” lure—posing as a CAPTCHA challenge to entice user interaction—NOROBOT was designed to retrieve additional malicious stages from hardcoded command-and-control (C2) servers.
This marks a shift from COLDRIVER’s previous reliance on complex PowerShell chains, now opting to trick users into executing a DLL with rundll32, effectively sidestepping some traditional security controls.
Infection Chain and NOROBOT’s Role
The new attack chain begins when targets interact with a fake CAPTCHA page, which prompts them to execute a DLL disguised as “iamnotarobot.dll.”
This DLL, NOROBOT (also dubbed BAITSWITCH by Zscaler), is in constant development, with observed samples from May through September 2025 revealing a push-pull between simplified deployment—intended to maximize infection rates—and renewed complexity, such as splitting cryptographic keys across multiple components to hinder analysis.
Early versions of NOROBOT would lead to the deployment of a noisy Python backdoor, YESROBOT. This backdoor, while functional, was cumbersome and required a full Python installation, increasing the risk of detection.
GTIG observed only brief use of YESROBOT before COLDRIVER replaced it with a more agile PowerShell-based backdoor named MAYBEROBOT (or SIMPLEFIX), which dispensed with the need for Python and boasted a more versatile command protocol.
COLDRIVER’s development tempo has accelerated. Each variant of NOROBOT includes subtle changes: rotating infrastructure, altering file names and export functions, and adding or removing steps in the infection chain.
These adjustments serve both to evade detection and complicate incident response. While simplifying some steps made it easier for defenders to track their activity, the group remains adept at reintroducing complexity—such as combining crypto keys across multiple files—when needed for operational security.
Notably, the final backdoor, MAYBEROBOT, has remained stable, suggesting COLDRIVER is satisfied with its balance of stealth and flexibility. This also implies their main focus has shifted towards fortifying the infection chain itself, increasing resilience against takedowns and analyses.
Phishing vs. Malware—and Community Defense
Historically, COLDRIVER favored phishing attacks. Their reasons for intensifying malware deployment remain unclear, but researchers speculate this approach may be reserved for especially high-value targets, seeking device-level intelligence after initial account compromises.
Defensive measures are evolving in tandem: as part of Google’s response, malicious infrastructure and samples are added to Safe Browsing and threat notifications are sent to at-risk Gmail and Workspace users.
Security professionals are encouraged to review shared indicators of compromise (IOCs) and YARA rules, and to stay updated on emerging COLDRIVER campaigns via threat intelligence feeds.
As COLDRIVER’s tactics continue to evolve, defenders must likewise adapt, remaining vigilant against both traditional lures and the increasingly sophisticated malware chains now used to conduct Russian state espionage operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
