Google’s Threat Intelligence Group (GTIG) has attributed three related malware families — NOROBOT, YESROBOT, and MAYBEROBOT — to the Russia-linked COLDRIVER actor. Emerging after the public disclosure of LOSTKEYS in May 2025, these families show rapid iterative development and a shift in tactics toward ClickFix-style lures that weaponize the Windows Run dialog and PowerShell to bypass protections and harvest intelligence from high-value targets.

Introduction

Google GTIG’s latest analysis highlights a rapid development cycle from the threat actor known as COLDRIVER. Within days of LOSTKEYS being disclosed, the group rolled out a set of related implants and a multi-stage delivery chain that demonstrates both urgency and adaptability. The new families—NOROBOT, YESROBOT, and MAYBEROBOT—are linked by a common delivery chain and share operational objectives: stealthy credential theft and targeted intelligence collection from high-value individuals.

What changed in COLDRIVER’s approach

Historically, COLDRIVER has focused on high-profile individuals such as NGO staff, policy advisors, and dissidents, usually aiming for credential theft. The new activity retains that targeting but pivots tactically. Instead of direct credential capture, recent campaigns use ClickFix-style HTML lures (notably a lure dubbed COLDCOPY) to trick victims into executing seemingly benign commands through the Windows Run interface as part of a fake CAPTCHA flow. This technique leverages social engineering to coax users to run PowerShell commands — a delivery method that can be effective against poorly hardened endpoints.

The infection chain — step by step

1. Initial lure (COLDCOPY): An HTML ClickFix-style page convinces a user to perform a verification step (fake CAPTCHA). The page instructs the user to run a command that triggers payload execution via the Windows Run dialog.
2. Dropper (NOROBOT DLL): The lure drops a DLL named NOROBOT, which is executed using rundll32.exe.
3. Secondary stages: NOROBOT then drops subsequent implants. Early variants deployed a Python backdoor (YESROBOT) before the actor rapidly transitioned to a PowerShell implant (MAYBEROBOT).

Meet the family: YESROBOT, MAYBEROBOT, NOROBOT

• YESROBOT (Python backdoor): A minimal HTTPS-based backdoor with capabilities to download and execute files and to exfiltrate documents. Observed in only two deployments over a short window in late May 2025 — likely a fast, temporary solution after LOSTKEYS disclosure.
• MAYBEROBOT (PowerShell implant): A more flexible, extensible PowerShell-based implant capable of downloading payloads from a URL, executing commands via cmd.exe, and running arbitrary PowerShell code. Assessed to be the long-term replacement for YESROBOT.
• NOROBOT (DLL dropper/delivery stage): Acts as the initial payload delivered by the HTML lure. Earlier NOROBOT variants attempted to download a full Python 3.8 runtime on victims — an operationally noisy choice that appears to have been abandoned in later builds.

Note: Zscaler ThreatLabz tracks NOROBOT and MAYBEROBOT under different labels (BAITSWITCH and SIMPLEFIX, respectively).

Why the rapid evolution matters

GTIG’s findings suggest that COLDRIVER accelerated development to respond to public disclosures. YESROBOT appears to have been deployed as a rapid stopgap; MAYBEROBOT followed as a quieter, more capable replacement. NOROBOT’s iterative changes — from simplified deployment techniques to reintroducing cryptographic key-splitting — indicate attempts to both maximize initial success rates and then harden the chain against detection once deployed.

Operational targeting and likely objectives

Google assesses NOROBOT and MAYBEROBOT are reserved for high-value targets who may already be compromised via phishing or direct social-engineering. The ultimate objective remains intelligence collection: harvesting documents, credentials, and other artifacts of interest from targeted devices.

Broader context — related law enforcement activity

In a related development, the Netherlands’ Openbaar Ministerie (Public Prosecution Service) announced suspicions against three 17-year-olds reportedly providing services to a foreign government. One suspect is alleged to have communicated with a hacker group affiliated with the Russian government, while the other two assisted in mapping Wi‑Fi networks in The Hague. Two suspects were arrested on September 22, 2025; the third is under house arrest. Dutch authorities have not reported signs of coercion affecting the suspect in contact with the foreign-affiliated group.

Key takeaways for defenders

• Hardening user behaviour: Discourage following run‑dialog or manual-run instructions from webpages or emails. Treat any instruction that asks users to run commands as suspicious.
• Reduce PowerShell exposure: Enforce constrained language mode where possible, enable script block logging and AMSI, and restrict lateral use of signed PowerShell scripts.
• Monitor rundll32.exe and unusual DLL loads: Focus detection rules on anomalous rundll32 usage patterns and DLLs that are not signed or that execute network-facing behavior.
• Detect noisy artefacts: Early NOROBOT variants dropped full Python runtimes — a detectable, noisy artifact. Track unusual installer activity or unexpected runtime installations.
• Hunt for HTTPS beaconing: YESROBOT used HTTPS to call back to hard-coded C2. Network detections that profile unusual HTTPS POSTs to small sets of domains can be helpful.

Closing thoughts

The rapid roll-out and refinement of NOROBOT, YESROBOT, and MAYBEROBOT highlight a familiar pattern: when a tool is exposed publicly, a capable adversary will iterate quickly — sometimes deploying interim solutions that are later refined into more stealthy implants. Defenders should assume that disclosure can accelerate adversary activity and maintain heightened monitoring following any public reporting.