COLDRIVER Evolves Malware Post-Exposure — New ROBOT Family Deployed

Google’s Threat Intelligence Group (GTIG) has uncovered a significant evolution in the operations of COLDRIVER, a state-sponsored threat actor. Within days of the public disclosure of its LOSTKEYS malware, COLDRIVER deployed a new malware ecosystem dubbed the 'ROBOT' family. This includes NOROBOT, YESROBOT, and MAYBEROBOT, delivered through an updated ClickFix lure disguised as a CAPTCHA test. The group's swift response demonstrates a well-resourced capability to rebuild and rearm after exposure. The new ROBOT-linked malware has been used more aggressively than previous campaigns, highlighting COLDRIVER's persistent effort to evade detection while targeting high-value entities.

Latest mentioned: 10-22

Earliest mentioned: 10-20

Sources

securityonline.info google.com thecyberexpress.com infosecurity-magazine.com therecord.media thehackernews.com bleepingcomputer.com

Also Read

Lampion Banking Trojan Evolves with New Social Engineering Tactics

A cybercriminal group has refined its malware campaign by incorporating innovative social engineering techniques and multi-stage infection chains to deliver the Lampion banking trojan. The campaign, active since 2019, targets Portuguese-speaking banks and uses complex infection methods to evade detection. Researchers have documented significant tactical evolution, including the use of ClickFix lures and compromised email accounts. The phishing emails employ convincing banking themes, and the infection chain comprises multiple obfuscated Visual Basic script stages. The Lampion stealer has evolved into a single 700MB DLL file, incorporating encrypted ZIP files to hinder detection.

10-31Read more →