The Russian state-backed hacker group Star Blizzard, also known as ColdRiver, UNC4057, and Callisto, has intensified its cyber-espionage operations with new malware families that evolve rapidly to evade detection.
Researchers have identified the new malware variants as NoRobot, YesRobot, and MaybeRobot, which are now being used in complex delivery chains beginning with ClickFix social engineering attacks.
According to a new report from Google’s Threat Intelligence Group (GTIG), the hackers abandoned their previous LostKeys malware less than a week after researchers exposed it earlier this year. LostKeys had been used to spy on Western governments, journalists, think tanks, and NGOs by stealing data from targeted systems.
Following that exposure, the group quickly shifted tactics and introduced a new set of malicious tools. The first was NoRobot, a DLL-based malware delivered through deceptive “ClickFix” pages designed to mimic CAPTCHA challenges. Victims were tricked into clicking on a fake “I am not a robot” verification box, which secretly executed the malware through Windows’ rundll32 process.
Once executed, NoRobot established persistence by modifying registry settings and creating scheduled tasks. It also downloaded a full Python 3.8 installation on the victim’s system in preparation for launching YesRobot, a Python-based backdoor. However, due to the visibility of Python components on compromised systems, ColdRiver soon replaced YesRobot with MaybeRobot, a stealthier PowerShell-based backdoor.
MaybeRobot supports three main functions: downloading and executing payloads from URLs, running system commands via Command Prompt, and executing arbitrary PowerShell scripts. It sends detailed feedback from infected devices back to ColdRiver’s command-and-control servers, helping the attackers monitor the success of their operations.
Researchers found that ColdRiver’s attack chain has evolved multiple times — initially complex, later simplified, and recently made more intricate again. The latest version splits cryptographic keys across several components, ensuring that the final malware payload only decrypts correctly when all parts are combined. This design makes it much harder for analysts to reconstruct the infection chain or analyze the malware.
Google’s findings show that ColdRiver carried out these attacks between June and September 2025, with the group focusing heavily on refining NoRobot to make it more stealthy and resilient. The hackers’ infrastructure and tactics point to direct ties with Russia’s Federal Security Service (FSB), and the group has been linked to espionage operations since at least 2017.
While ColdRiver is best known for phishing campaigns, its shift to ClickFix-based delivery methods may suggest that it’s now re-targeting previously compromised victims. By using this new technique, the group could be seeking to extract even more valuable intelligence from systems that already contain stolen emails and contact lists.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google has published indicators of compromise (IoCs) and YARA detection rules to help defenders identify and block these new Robot malware variants. The report highlights that despite repeated exposure, infrastructure takedowns, and sanctions, ColdRiver remains one of the most persistent and adaptive cyber-espionage groups operating today.
