VERY IMPORTANT

COLDRIVER, a Russian state-sponsored threat group, swiftly shifted operations after their LOSTKEYS malware was exposed in May 2025. They developed new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, within days. The infection chain begins with a COLDCOPY lure disguised as a CAPTCHA, leading to the deployment of NOROBOT, a DLL that retrieves subsequent stages. YESROBOT, a Python backdoor, was briefly used before being replaced by MAYBEROBOT, a more flexible PowerShell backdoor. The malware chain has undergone constant evolution, with COLDRIVER focusing on evading detection while maintaining intelligence collection capabilities against high-value targets. The group's tactics include using HTTPS for command retrieval, encrypting commands, and implementing various evasion techniques.