A sophisticated new malware campaign linked to the Russia-aligned threat actor known as COLDRIVER has emerged, showcasing rapid development and adaptation by the group. Google Threat Intelligence Group (GTIG) has identified multiple refined malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, indicating an accelerated “operations tempo” since May 2025. This development follows closely on the heels of COLDRIVER’s previously disclosed LOSTKEYS malware, highlighting the group’s continuous efforts to evolve its cyber espionage arsenal.
COLDRIVER’s Evolving Malware Arsenal and Tactics
The latest findings from Google reveal that COLDRIVER has been actively refining its malware since May 2025, specifically developing and deploying a suite of related malware families under the collective codename “ROBOT.” This rapid iteration suggests the group is keen on staying ahead of security defenses and maintaining a persistent advantage in its intelligence-gathering operations. The shift in tactics also represents a departure from COLDRIVER’s traditional modus operandi.
Traditionally, COLDRIVER focused on highly targeted phishing attacks aimed at individuals within NGOs, policy advisors, and dissidents, with the primary objective of stealing login credentials. However, the recent campaign has adopted a different approach. It now leverages ClickFix-style lures to deceive victims into executing malicious PowerShell commands. This is often presented as a fake CAPTCHA verification prompt, exploited through the Windows Run dialog.
While earlier attacks detected in January, March, and April 2025 resulted in the deployment of an information-stealing malware named LOSTKEYS, subsequent intrusions have shifted to the “ROBOT” family. Zscaler ThreatLabz has identified NOROBOT and MAYBEROBOT as BAITSWITCH and SIMPLEFIX, respectively, further underscoring the dynamic nature of threat actor naming conventions and tracking efforts.
The NOROBOT-YESROBOT-MAYBEROBOT Infection Chain
The newly identified infection chain begins with an HTML lure, dubbed COLDCOPY, which is designed to drop a Dynamic Link Library (DLL) file named NOROBOT. This DLL is then executed using rundll32.exe, serving as a loader for the subsequent stages of the malware. Initial phases of this attack were seen distributing a Python backdoor known as YESROBOT.
However, COLDRIVER appears to have quickly transitioned from YESROBOT to MAYBEROBOT, a PowerShell implant. YESROBOT, a relatively minimal backdoor, communicates using HTTPS to retrieve commands from a hard-coded command-and-control (C2) server. Its capabilities include downloading and executing files, as well as exfiltrating documents of interest. Notably, only two instances of YESROBOT deployment were observed over a two-week period in late May, shortly after details of LOSTKEYS were made public.
In contrast, MAYBEROBOT is considered more adaptable and feature-rich. It possesses the ability to download and execute payloads from specified URLs, run commands via cmd.exe, and execute PowerShell code. Researchers speculate that COLDRIVER may have deployed YESROBOT as a temporary solution, or a “stopgap mechanism,” in immediate response to the public disclosure of LOSTKEYS. This hypothesis is further supported by the fact that early versions of NOROBOT included a step to install Python 3.8 on the compromised host, a potentially conspicuous action that could raise suspicion.
Google also suggests that NOROBOT and MAYBEROBOT are likely reserved for highly significant targets. These victims may have already been compromised through phishing, making these advanced malware families the next step in gathering more in-depth intelligence from their devices.
Implications and Ongoing Investigations
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” stated GTIG researcher Wesley Shields. “This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
This increased activity and advanced malware development by COLDRIVER come at a time when international law enforcement agencies are also making progress in investigations related to cyber espionage. The Netherlands’ Public Prosecution Service, the Openbaar Ministerie (OM), recently announced the suspicion of three 17-year-old individuals for providing services to a foreign government. One of these suspects is alleged to have been in contact with a hacker group affiliated with the Russian government.
According to the OM, the suspect provided instructions to map Wi-Fi networks in The Hague, and the collected information was subsequently shared with a client for payment, with the stated purpose of facilitating digital espionage and cyber attacks. Two of the suspects were apprehended in September 2025, while a third, due to his limited role, is under house arrest. Authorities have indicated that there are currently no indications of coercion exerted on the suspect who had contact with the Russian-affiliated hacker group.
The ongoing refinement of COLDRIVER’s malware and the broader context of international investigations suggest a persistent and evolving threat landscape in the realm of state-sponsored cyber espionage. Security professionals will be closely monitoring future developments from COLDRIVER and the outcomes of these international legal proceedings to better understand and counter these sophisticated cyber threats.