Google finds Russian state hackers replacing burned malware with new tools

A Russian government-backed hacking group known as Coldriver has developed three new malware strains to replace a tool exposed earlier this year, according to new research by Google.

In a report released Tuesday, Google’s threat intelligence team said the Moscow-linked hackers, also tracked as Star Blizzard, Callisto and UNC4057, began deploying new malicious tools within five days of the company’s May disclosure of the group’s LostKeys malware.

Since then, Google has not observed any further use of LostKeys, but instead detected new malware being deployed “more aggressively than any previous campaigns” linked to Coldriver.

The newly identified tools — dubbed NOROBOT, YESROBOT and MAYBEROBOT — are designed to evade detection and steal information from high-value targets.

According to Google, the attacks begin with a malicious file named NOROBOT, delivered through a fake CAPTCHA page — a lure technique previously used in LostKeys operations. The initial payload installs YESROBOT, a backdoor that was later replaced by a more advanced variant called MAYBEROBOT.

While Coldriver has continued to tweak NOROBOT, MAYBEROBOT has remained unchanged, suggesting the group is focusing on concealing how it gets into a network while relying on a trusted backdoor to avoid detection afterward, according to the report.

It remains unclear why the group is prioritizing custom malware over the credential-phishing techniques it has long relied on. One theory, Google said, is that Coldriver aims to infect targets it has already compromised through phishing, using malware to extract additional intelligence directly from their devices.

“As Coldriver continues to develop and deploy this chain, we believe they will maintain aggressive operations against high-value targets to achieve their intelligence collection requirements,” Google’s researchers said.

Active since at least 2022, Coldriver is believed to operate under the direction of Russian intelligence services. The group is known for spying on human rights organizations, independent media and civil society groups in Eastern Europe and the United States.

Coldriver typically steals credentials to access and exfiltrate emails and other data from its targets, but it has also previously used malware such as Spica to target specific individuals and access documents stored on compromised systems.