Google Threat Intelligence Group (GTIG) have identified three new malware strains developed by Russian state-sponsored hacking gang, COLDRIVER. The group operationalized the new malware strains—which are based on its previously-existing LOSTKEYS malware—just five days after public disclosure of LOSTKEYS in May 2025, their report explains.
Google has been monitoring the malware since June 2025, observing that the attackers altered not only the malware itself, but also the execution chain. This highlights the speed at which malicious actors are innovating and refining techniques for maximum impact and effectiveness.
The report states that “[t]he specific changes made between NOROBOT variants highlight the group’s persistent effort to evade detection systems while ensuring continued intelligence collection against high-value targets. However, by simplifying the NOROBOT downloader, COLDRIVER inadvertently made it easier for GTIG to track their activity.”
How Does It Work?
The new malware strains have been given the names NOROBOT, YESROBOT, and MAYBEROBOT., and are connected via a delivery chain, says GTIT researcher Wesley Shields
COLDRIVER’s previous LOSTKEYS malware focused on using ClickFix-like social engineering lures, and the new delivery chain starts with a similar deployment.
The attack begins with COLDCOPY, an HTML ClickFix lure that drops a NOROBOT, a Dynamic Link Library (DLL). Some initial versions of the attack then distributed YESROBOT, which was later replaced by MAYBEROBOT, a PowerShell implant.
YESROBOT and MAYBEROBOT are both examples of backdoor malware; they allow attackers to create hidden entry points into infected devices. Once they have this entry point, the attackers are able to snoop on traffic and devices, as well as push malicious code. This may extend the scope of the attack so that it infects other devices, or it may be to carry out a ransomware attack.
Common uses of backdoor malware include remote command and control, data exfiltration, credential harvesting, and attacks on supply-chain or third-party providers. As COLDRIVER has typically targeted organizations for political motives in the past, data exfiltration and operational disruption may be two key risks in this instance.
A Change Of Tactics
The Hacker News reports that these new iterations depart from COLDRIVER’s usual methods, which “involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft.”
Historically, the group has been associated with phishing attacks, rather than malware. It is currently unclear what has prompted the group’s change in method, but GTIG suggested that NOROBOT and MAYBEROBOT may be reserved for gathering additional intelligence from devices that have already been compromised or that belong to significant targets.
