Russian Coldriver Hackers Deploy New 'NoRobot' Malware

Instead, Coldriver seemed to have shifted to a new set of malware families tracked by Google as NoRobot, YesRobot and MaybeRobot. The attack starts with a ‘ClickFix-style’ phishing lure, a fake CAPTCHA page designed to trick the victim into thinking they must verify they’re “not a robot.” This lure is tracked by Google as ColdCopy. The page prompts the user to download and run a malicious dynamic-link library (DLL) – tracked as NoRobot – via rundll32.exe, a legitimate Windows tool. The DLL’s export function (humanCheck) is named to reinforce the CAPTCHA deception.

Once executed, the NoRobot DLL acts as a downloader. Early versions used a split-key cryptography scheme, with parts of the decryption key hidden in downloaded files and the Windows Registry (e.g. under HKEY_CURRENT_USER\SOFTWARE\Classes.pietas). This makes analysis more difficult because missing any component would break the decryption. This replaces older methods that relied on PowerShell, making it harder for security tools that monitor script-based execution to detect the attack.

Around June 2025, Coldriver switched to MaybeRobot, a more flexible PowerShell-based backdoor, with no Python script needed. In this new version, NoRobot was simplified to fetch a single logon script that persisted MaybeRobot via a PowerShell command added to the user’s login script. MaybeRobot uses a custom C2 protocol with three core commands: 1. Download and execute a file from a URL 2. Run a command via cmd.exe 3. Execute a PowerShell block.

To read the complete article see: https://www.infosecurity-magazine.com/news/russian-coldriver-hackers-new/