Free, Unbiased, and Open threat intelligence
Free, Unbiased, and Open threat intelligence
threat Profile
Russian state-sponsored threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families within five days. The threat actor has deployed a collection of related malware families connected via a delivery chain, including NOROBOT (also known as BAITSWITCH), YESROBOT, and MAYBEROBOT (also known as SIMPLEFIX). The infection chain begins with an updated COLDCOPY 'ClickFix' lure disguised as a CAPTCHA that tricks users into executing a malicious DLL via rundll32. NOROBOT serves as a downloader that retrieves subsequent stages from hardcoded C2 servers. Initially, COLDRIVER deployed YESROBOT, a cumbersome Python backdoor requiring a full Python 3.8 installation, but quickly replaced it with MAYBEROBOT, a more flexible PowerShell backdoor. The malware has undergone multiple iterations with constant evolution in the infection chain, including simplification for deployment success and later re-introduction of complexity through split cryptography keys to evade detection. COLDRIVER targets high-profile individuals in NGOs, policy advisors, and dissidents for intelligence collection. The group demonstrates increased development tempo and aggressive deployment against high-value targets.
Threat Actors
Published
7 months ago
Views
0