← Back to blog

COLDRIVER Re-Tools in Four Days: Introducing the ROBOT Malware Suite

russiaaptcoldrivermalwareespionagethreat-intelligence

Our team at Google Threat Intelligence Group (GTIG) just published new research on the Russian state-sponsored actor COLDRIVER (aka Star Blizzard, UNC4057).

We observed the actor re-tool and deploy a completely new malware framework just four days after their LOSTKEYS malware was publicly detailed in a previous GTIG blog in May 2025. This rapid pivot demonstrates their resilience and high operational tempo.

The new infection chain, themed around CAPTCHA lures, features a family of malware we’ve named the “ROBOT” suite:

  • NOROBOT: A downloader that has been in constant development to evade detection.
  • YESROBOT: An initial, cumbersome Python backdoor that the group quickly abandoned.
  • MAYBEROBOT: The actor’s current tool of choice — a more flexible and extensible PowerShell backdoor.

This constant evolution shows COLDRIVER’s significant investment in maintaining access and continuing intelligence collection against high-value targets in policy, NGO, and academic sectors.

Our report provides the full technical breakdown, from the initial lure to the final payload, and includes IOCs and YARA rules to help the community defend against this persistent threat.

Find the GTIG analysis by Wesley Shields here: https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver

Originally posted on LinkedIn