{ "id": "f3071423-bd09-4006-a01c-1c3a1ca378a4", "created_at": "2026-04-06T00:22:25.566718Z", "updated_at": "2026-04-10T03:35:42.000837Z", "deleted_at": null, "sha1_hash": "3ccb7a0119dd03a4e70172c3fa63522d76201996", "title": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 410214, "plain_text": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia\r\nState-Sponsored COLDRIVER\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-10-20 · Archived: 2026-04-05 22:52:24 UTC\r\nWritten by: Wesley Shields\r\nIntroduction \r\nCOLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs,\r\npolicy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS\r\nmalware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this\r\nmalware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead,\r\nGTIG has seen new malware used more aggressively than any other previous malware campaigns we have\r\nattributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).\r\nThe new malware, which GTIG attributes directly to COLDRIVER, has undergone multiple iterations since\r\ndiscovery, indicating a rapidly increased development and operations tempo from COLDRIVER. It is a collection\r\nof related malware families connected via a delivery chain. GTIG seeks to build on details on a part of this\r\ninfection chain released in a recent Zscaler blog post by sharing wider details on the infection chain and related\r\nmalware.\r\nMalware Development Overview \r\nThis re-tooling began with a new malicious DLL called NOROBOT delivered via an updated COLDCOPY\r\n“ClickFix” lure that pretends to be a custom CAPTCHA. This is similar to previous LOSTKEYS deployment by\r\nCOLDRIVER, but updates the infection by leveraging the user to execute the malicious DLL via rundll32, instead\r\nof the older multi-stage PowerShell method.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 1 of 10\n\nFigure 1: Malware development overview\r\nWhile the earliest version of NOROBOT led to the deployment of a cumbersome Python backdoor tracked as\r\nYESROBOT, COLDRIVER quickly abandoned YESROBOT for a more flexible and extensible Powershell\r\nbackdoor we track as MAYBEROBOT.\r\nNOROBOT and its preceding infection chain have been subject to constant evolution—initially simplified to\r\nincrease chances of successful deployment, before re-introducing complexity by splitting cryptography keys. The\r\nshift back to more complex delivery chains increases the difficulty of tracking their campaigns. This constant\r\ndevelopment highlights the group's efforts to evade detection systems for their delivery mechanism for continued\r\nintelligence collection against high-value targets.\r\nDelivery via “ClickFix” and Rundll32\r\nThis new malware infection chain contains three distinct components which are delivered via a new variant of the\r\nCOLDCOPY “ClickFix” lure ( c4d0fba5aaafa40aef6836ed1414ae3eadc390e1969fdcb3b73c60fe7fb37897 )\r\npreviously seen delivering LOSTKEYS. The new variant of COLDCOPY tries to get the user to download and\r\nexecute a DLL using rundll32, while trying to disguise itself as a captcha by including text to verify that the user\r\nis not a robot. The DLL first observed was named “iamnotarobot.dll” and the export was named “humanCheck” -\r\nboth of which play into the CAPTCHA theme of the page and partially inspired the ROBOT-themed naming\r\nconvention for the malware that follows.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 2 of 10\n\nFigure 2: COLDCOPY attempting to lure the user to execute NOROBOT\r\nNOROBOT\r\nNOROBOT, also disclosed as BAITSWITCH by Zscaler, is a DLL that has been observed undergoing regular\r\ndevelopment from May through September 2025. In all of the versions observed the main purpose of NOROBOT\r\nhas been to retrieve the next stage from a hardcoded command and control (C2) address and prepare the system\r\nfor the final payload. The earliest version of NOROBOT\r\n( 2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee ) made use of cryptography in which\r\nthe key was split across multiple components and needed to be recombined in a specific way in order to\r\nsuccessfully decrypt the final payload. This was likely done to make it more difficult to reconstruct the infection\r\nchain because if one of the downloaded components was missing the final payload would not decrypt properly.\r\nDespite this attempt to hinder analysis, the earliest version of NOROBOT included fetching and extracting a full\r\nPython 3.8 installation, which is a noisy artifact that is likely to raise suspicions.\r\nDetails of the files retrieved by this version of NOROBOT are:\r\nSFX RAR containing a Python 3.8 installation for Windows\r\nCommand to store part of a crypto key in the registry\r\nPersistence via scheduled task\r\nCommand to run bitsadmin to retrieve a file named libsystemhealthcheck.py\r\nCommand to run bitsadmin to retrieve a file named libcryptopydatasize.py\r\nBoth files retrieved using bitsadmin are from inspectguarantee[.]org :\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 3 of 10\n\nd7520e4f1c55ed1dcbdeba5c6e681e1d269d9b5a690636bf18bcdc5b294f3f8a libsystemhealthcheck.py\r\n52eb2b3df1e5e2a07ba4562b79eeb67679ac6f7f90190e72d3e6adcf5186401d libcryptopydatasize.py\r\nThe registry key command is:\r\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\.pietas\" /v \"ratio\" /t REG_BINARY /d \"f5e210ec114e1992b81ff89be58cf\r\nPersistence is done via a scheduled task:\r\npowershell -c \"\r\n$s = New-Object -ComObject Schedule.Service;\r\n$s.Connect();\r\n$t = $s.NewTask(0);\r\n$p = $t.principal;\r\n$p.logontype = 3;\r\n$p.RunLevel = 0;\r\n$a = $t.Actions.Create(0);\r\n$a.Path = \\\"$env:APPDATA\\Python38-64\\pythonw.exe\\\";\r\n$a.Arguments = \\\"$env:APPDATA\\Python38-64\\Lib\\libsystemhealthcheck.py\\\";\r\n$a.WorkingDirectory = \\\"$env:APPDATA\\Python38-64\\\";\r\n$tr = $t.Triggers.Create(9);\r\n$tr.userID = \\\"$env:computername\\\"+\\\"\\\\\\\"+\\\"$env:username\\\";\r\n$tr.enabled = $true;\r\n$s.GetFolder(\\\"\\\").RegisterTaskDefinition(\\\"System health check\\\", $t, 6, $null, $null, 0) | Out-Null;\r\n\"\r\nlibsystemhealthcheck.py contains part of an AES key that is combined with the key stored in the registry and\r\ndecrypts libcryptopydatasize.py, which we have named YESROBOT.\r\nYESROBOT\r\nThe decrypted version of YESROBOT is a Python backdoor which uses HTTPS to retrieve commands from a\r\nhardcoded C2. The commands are AES encrypted with a hardcoded key. System information and username are\r\nencoded in the User-Agent header of the request. YESROBOT is a minimal backdoor that requires all commands\r\nto be valid Python, which makes typical functionality, such as downloading and executing files or retrieving\r\ndocuments, more cumbersome to implement. A typical approach would include the retrieval and execution logic in\r\nthe backdoor and only require the operator to send the URL. This makes YESROBOT difficult to extend and\r\noperate, and hints that the deployment of YESROBOT was a hastily made choice. GTIG observed only two\r\ninstances of YESROBOT deployment over a two week period in late May before it was abandoned in favor of a\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 4 of 10\n\ndifferent backdoor, MAYBEROBOT. It is for these reasons that GTIG assesses that YESROBOT was hastily\r\ndeployed as a stopgap mechanism after our publication on LOSTKEYS.\r\nFigure 3: Main loop of YESROBOT, limited to Python command execution only\r\nMAYBEROBOT\r\n In early June 2025, GTIG observed a variant of NOROBOT\r\n( 3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1 ) which was drastically simplified from\r\nearlier versions. This version fetches a single file, which we observed to be a single command that sets up a logon\r\nscript for persistence. The logon script was a Powershell command which downloaded and executed the next\r\nstage, which we call MAYBEROBOT, also known as SIMPLEFIX by Zscaler.\r\nThe file fetched by the logon script was a heavily obfuscated Powershell script\r\n( b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9 ) that uses a hardcoded C2 and a\r\ncustom protocol that supports 3 commands:\r\n1. Download and execute from a specified URL\r\n2. Execute the specified command using cmd.exe\r\n3. Execute the specified powershell block\r\nIn all cases an acknowledgement is sent to the C2 at a different path, while in the case of command 2 and 3, output\r\nis sent to a third path.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 5 of 10\n\nGTIG assesses that MAYBEROBOT was developed to replace YESROBOT because it does not need a Python\r\ninstallation to execute, and because the protocol is extensible and allows attackers more flexibility when achieving\r\nobjectives on target systems. While increased flexibility was certainly achieved, it is worth noting that\r\nMAYBEROBOT still has minimal built-in functionality and relies upon the operator to provide more complex\r\ncommands like YESROBOT before it.\r\nThe ROBOTs Continue to Evolve\r\nAs GTIG continued to monitor and respond to COLDRIVER attempts to deliver NOROBOT to targets of interest\r\nfrom June through September 2025, we observed changes to both NOROBOT and the malware execution chain\r\nthat indicate COLDRIVER was increasing their development tempo. GTIG has observed multiple versions of\r\nNOROBOT over time with varying degrees of simplicity. The specific changes made between NOROBOT\r\nvariants highlight the group's persistent effort to evade detection systems while ensuring continued intelligence\r\ncollection against high-value targets. However, by simplifying the NOROBOT downloader, COLDRIVER\r\ninadvertently made it easier for GTIG to track their activity. \r\nGTIG’s insight into the NOROBOT malware’s evolution aligned with our observation of their movement away\r\nfrom the older YESROBOT backdoor in favor of the newer MAYBEROBOT backdoor. GTIG assesses that\r\nCOLDRIVER may have made changes to the final backdoor for several reasons: YESROBOT requiring a full\r\nPython interpreter to function is likely to increase detection in comparison to MAYBEROBOT, and YESROBOT\r\nbackdoor was not easily extensible. \r\nAs MAYBEROBOT became the more commonly observed final backdoor in these operations, the NOROBOT\r\ninfection chain to get there continued evolving. Over the course of this period of time, COLDRIVER simplified\r\ntheir malware infection chain and implemented basic evasion techniques, such as rotating infrastructure and file\r\nnaming conventions, paths where files were retrieved from, how those paths were constructed, changing the\r\nexport name and changing the DLL name. Along with making these minor changes, COLDRIVER re-introduced\r\nthe need to collect crypto keys and intermediate downloader stages to be able to properly reconstruct the full\r\ninfection chain. Adding complexity back in may increase operational security for the operation as it makes\r\nreconstructing their activity more difficult. Network defenders need to collect multiple files and crypto keys to\r\nreconstruct the full attack chain; whereas in the simplified NOROBOT chain they only need the URL from the\r\nlogon script to retrieve the final payload.\r\nGTIG has observed multiple versions of NOROBOT indicating consistent development efforts, but the final\r\nbackdoor of MAYBEROBOT has not changed. This indicates that COLDRIVER is interested in evading detection\r\nof their delivery mechanism while having high confidence that MAYBEROBOT is less likely to be detected.\r\nPhishing or Malware?\r\nIt is currently not known why COLDRIVER chooses to deploy malware over the more traditional phishing they\r\nare known for, but it is clear that they have spent significant development effort to re-tool and deploy their\r\nmalware to specific targets. One hypothesis is that COLDRIVER attempts to deploy NOROBOT and\r\nMAYBEROBOT on significant targets which they may have previously compromised via phishing and already\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 6 of 10\n\nstolen emails and contacts from, and are now looking to acquire additional intelligence value from information on\r\ntheir devices directly.\r\nAs COLDRIVER continues to develop and deploy this chain we believe that they will continue their aggressive\r\ndeployment against high-value targets to achieve their intelligence collection requirements.\r\nProtecting the Community\r\nAs part of our efforts to combat threat actors, we use the results of our research to improve the safety and security\r\nof Google’s products. Upon discovery, all identified malicious websites, domains and files are added to Safe\r\nBrowsing to protect users from further exploitation. We also send targeted Gmail and Workspace users\r\ngovernment-backed attacker alerts notifying them of the activity and encouraging potential targets to enable\r\nEnhanced Safe Browsing for Chrome and ensure that all devices are updated.\r\nWe are committed to sharing our findings with the security community to raise awareness and with companies and\r\nindividuals that might have been targeted by these activities. We hope that improved understanding of tactics and\r\ntechniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.\r\nIndicators of compromise (IOCs) and YARA rules are included in this post, and are also available as a GTI\r\ncollection and rule pack.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise are available in a Google Threat Intelligence (GTI) collection for\r\nregistered users.\r\nIOC Description\r\nviewerdoconline[.]com COLDCOPY domain\r\ndocumentsec[.]com COLDCOPY domain\r\ndocumentsec[.]online COLDCOPY domain\r\nonstorageline[.]com COLDCOPY domain\r\napplicationformsubmit[.]me COLDCOPY domain\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 7 of 10\n\noxwoocat[.]org COLDCOPY domain\r\nned-granting-opportunities[.]com COLDCOPY domain\r\nblintepeeste[.]org COLDCOPY domain\r\npreentootmist[.]org COLDCOPY domain\r\nc4d0fba5aaafa40aef6836ed1414ae3eadc390e1969fdcb3b73c60fe7fb37897 COLDCOPY “ClickFix” lure\r\ninspectguarantee[.]org NOROBOT delivery domain\r\ncaptchanom[.]top NOROBOT delivery domain\r\nbce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f YESROBOT\r\nsystem-healthadv[.]com YESROBOT C2\r\n85.239.52[.]32 YESROBOT C2\r\n2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee\r\nNOROBOT - iamnotarobot.dll -\r\nMay 2025\r\n3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1\r\nNOROBOT - checkme.dll - June\r\n2025\r\ne9c8f6a7dba6e84a7226af89e988ae5e4364e2ff2973c72e14277c0f1462109b\r\nNOROBOT - checkme.dll - June\r\n2025\r\nb60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9 Obfuscated MAYBEROBOT\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 8 of 10\n\nsouthprovesolutions[.]com MAYBEROBOT C2\r\nf2da013157c09aec9ceba1d4ac1472ed049833bc878a23bc82fe7eacbad399f4\r\nNOROBOT - machinerie.dll -\r\nRe-introducing crypto and\r\ndownloaders\r\n87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48\r\nNOROBOT - machinerie.dll -\r\nLatest sample from late August\r\n2025\r\nYARA Rules\r\nrule G_APT_Downloader_NOROBOT_2 {\r\n meta:\r\n author = \"Google Threat Intelligence\"\r\n description = \"DLL which pulls down and executes next stages\"\r\n strings:\r\n $path = \"/konfiguration12/\" wide\r\n $file0 = \"arbeiter\" wide\r\n $file1 = \"schlange\" wide\r\n $file2 = \"gesundheitA\" wide\r\n $file3 = \"gesundheitB\" wide\r\n $new_file0 = \"/reglage/avec\" wide\r\n $new_file1 = \"/erreur\" wide\r\n condition:\r\n filesize \u003c= 1MB and\r\n (\r\n $path or\r\n all of ($file*) or\r\n all of ($new_file*) or\r\n (\r\n for any s in (\"checkme.dll\", \"iamnotarobot.dll\", \"machinerie.dll\"): (pe.dll_name == s) and\r\n for any s in (\"humanCheck\", \"verifyme\"): (pe.exports(s))\r\n )\r\n )\r\n}\r\nrule G_APT_BACKDOOR_YESROBOT_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 9 of 10\n\nstrings:\r\n $s0 = \"return f'Mozilla/5.0 {base64.b64encode(str(get_machine_name()).encode()).decode()} {base64.b64encode(\r\n $s1 = \"'User-Agent': obtainUA(),\"\r\n $s2 = \"url = f\\\"https://{target}/connect\\\"\"\r\n $s3 = \"print(f'{target} is not availible')\"\r\n $s4 = \"tgtIp = check_targets(tgtList)\"\r\n $s5 = \"cmd_url = f'https://{tgtIp}/command'\"\r\n $s6 = \"print('There is no availible servers...')\"\r\n condition:\r\n 4 of them\r\n}\r\nrule G_APT_BACKDOOR_MAYBEROBOT_1 {\r\n meta:\r\n author = \"Google Threat Intelligence Group (GTIG)\"\r\n strings:\r\n $replace = \"-replace '\\\\n', ';' -replace '[^\\\\x20-\\\\x7E]', '' -replace '(?i)x[0-9A-Fa-f]{4}', '' -split \\\"\\\\\r\n condition:\r\n all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "report_names": [ "new-malware-russia-coldriver" ], "threat_actors": [ { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434945, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ccb7a0119dd03a4e70172c3fa63522d76201996.pdf", "text": "https://archive.orkl.eu/3ccb7a0119dd03a4e70172c3fa63522d76201996.txt", "img": "https://archive.orkl.eu/3ccb7a0119dd03a4e70172c3fa63522d76201996.jpg" } }