To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER
Category:Threat Alerts / Threat Intelligence
Google Threat Intelligence describes evolving COLDRIVER tradecraft: NOROBOT loaders set logon scripts that fetch a PowerShell‑based MAYBEROBOT backdoor (aka SIMPLEFIX), offering flexible command execution and C2 acknowledgement paths. Iterative changes to infrastructure and naming aim to evade detections while maintaining intelligence collection.
CORTEX Protocol Intelligence Assessment
Business Impact: APT‑grade backdoors enable stealthy persistence and data theft at targeted orgs. Technical Context: PowerShell‑centric chain; rotating C2 paths and minimal built‑in functionality delegate logic to operators.
Strategic Intelligence Guidance
- Harden macro/script execution; enable PS Script Block Logging and AMSI.
- Deploy EDR detections for suspicious logon scripts and C2 beacons.
- Operationalize GTIG IOCs and Safe Browsing blocks in proxies.
- Isolate high‑value targets and enforce device compliance baselines.
Vendors
Threats
Targets
Intelligence Source: To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog | Oct 21, 2025