In a recent analysis, Google’s Threat Intelligence Group (GTIG) has identified three new malware families—NOROBOT, YESROBOT, and MAYBEROBOT—attributed to the Russian state-sponsored hacking group known as COLDRIVER. This discovery indicates a significant escalation in COLDRIVER’s cyber operations since May 2025, marked by rapid development and deployment of sophisticated malware tools.
Evolution of COLDRIVER’s Malware Arsenal
COLDRIVER, historically recognized for targeting high-profile individuals such as NGO members, policy advisors, and dissidents to steal credentials, has recently shifted its tactics. The group now employs deceptive techniques like ClickFix-style lures, which trick users into executing malicious PowerShell commands through the Windows Run dialog under the guise of fake CAPTCHA verifications.
Earlier in 2025, COLDRIVER’s campaigns led to the deployment of an information-stealing malware named LOSTKEYS. However, following the public disclosure of LOSTKEYS, the group ceased its use and swiftly developed the ROBOT series of malware. This rapid transition underscores COLDRIVER’s agility in adapting its cyber tools to evade detection and maintain operational effectiveness.
Detailed Analysis of the ROBOT Malware Family
The newly identified malware families—NOROBOT, YESROBOT, and MAYBEROBOT—are interconnected through a sophisticated delivery chain:
1. NOROBOT: The infection process begins with an HTML lure, dubbed COLDCOPY, which delivers a DLL file named NOROBOT. This file is executed using rundll32.exe, initiating the next stage of the attack.
2. YESROBOT: Initially, NOROBOT deployed a Python-based backdoor known as YESROBOT. This minimalistic backdoor communicates over HTTPS with a hard-coded command-and-control (C2) server, enabling it to download and execute files and retrieve documents of interest. Notably, YESROBOT was observed in only two instances during a two-week period in late May 2025, shortly after the public disclosure of LOSTKEYS.
3. MAYBEROBOT: Subsequently, COLDRIVER transitioned to using MAYBEROBOT, a more versatile and extensible PowerShell implant. MAYBEROBOT is capable of downloading and executing payloads from specified URLs, running commands via cmd.exe, and executing PowerShell code, providing the attackers with a robust tool for intelligence gathering and system manipulation.
The progression from YESROBOT to MAYBEROBOT suggests that COLDRIVER initially deployed YESROBOT as a temporary solution in response to the exposure of LOSTKEYS. The group then shifted to MAYBEROBOT, likely due to its enhanced capabilities and reduced likelihood of detection. Early versions of NOROBOT included steps to download a full Python 3.8 installation onto compromised hosts—a conspicuous action that could alert security systems. By refining their methods, COLDRIVER demonstrates a commitment to evading detection and enhancing the efficacy of their cyber operations.
Strategic Implications and Targeting
The deployment of NOROBOT and MAYBEROBOT appears to be reserved for high-value targets, potentially those already compromised through phishing attacks. The primary objective is to gather additional intelligence from these individuals’ devices. The continuous evolution of COLDRIVER’s malware—from simplifying deployment processes to reintroducing complexity through cryptographic key splitting—highlights the group’s dedication to circumventing detection mechanisms and sustaining intelligence collection against significant targets.
Broader Context: Cyber Espionage Activities
This development is part of a broader pattern of cyber espionage activities linked to Russian state-sponsored actors. For instance, in April 2023, Google’s Threat Analysis Group (TAG) reported that Russian military intelligence-affiliated hackers conducted extensive phishing campaigns targeting hundreds of users in Ukraine. These campaigns aimed to extract intelligence and influence public discourse related to the ongoing conflict. The attackers employed credential harvesting techniques, including phishing links delivered via SMS and fake Windows update packages that deployed information-stealing malware.
Additionally, in September 2022, cybersecurity firm Mandiant identified at least three hacktivist groups—XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn—operating in support of Russian interests. These groups were found to coordinate their operations with Russian Main Intelligence Directorate (GRU)-sponsored cyber threat actors, engaging in activities such as distributed denial-of-service (DDoS) attacks and data leaks.
Conclusion
The identification of NOROBOT, YESROBOT, and MAYBEROBOT underscores the dynamic and evolving nature of cyber threats posed by state-sponsored actors like COLDRIVER. Their rapid development and deployment of new malware families reflect a strategic intent to enhance operational capabilities and evade detection. As cyber espionage tactics continue to evolve, it is imperative for organizations and individuals to remain vigilant, adopt robust cybersecurity measures, and stay informed about emerging threats to effectively safeguard sensitive information and infrastructure.
