Google’s Threat Intelligence Group reported the discovery of three related malware families named NOROBOT, YESROBOT and MAYBEROBOT that it linked to the Russia-linked hacking group COLDRIVER, saying the codebases have undergone multiple revisions since May 2025 and that development activity suggests an increased operations tempo.
Researchers described a delivery chain that begins with a ClickFix-style HTML lure called COLDCOPY, which drops a DLL named NOROBOT that is executed via rundll32.exe to install follow-on components.
Earlier intrusions in 2025 deployed an information-stealing malware called LOSTKEYS, which GTIG said it has not observed since disclosure. NOROBOT initially downloaded a Python backdoor known as YESROBOT in at least two incidents in late May before operators shifted to a PowerShell implant.
According to the analysis, YESROBOT is a minimal HTTPS-based backdoor capable of retrieving commands, downloading and executing files, and exfiltrating documents. The replacement implant, MAYBEROBOT, is more extensible and can fetch payloads from URLs, run commands with cmd.exe and execute PowerShell code.
GTIG analysts said YESROBOT appeared to be a stopgap deployed quickly after public disclosure of LOSTKEYS and that the group has alternated between simplifying and reintroducing complexity in the delivery chain to evade detection, including changes to cryptographic handling.
The Netherlands’ Public Prosecution Service said three 17-year-old men are suspected of providing services to a foreign government; one is alleged to have been in contact with a hacker group affiliated with the Russian government and to have shared mapped Wi-Fi network information for a fee.
Google’s report includes technical indicators and sample files for the COLDCOPY lure and the NOROBOT, YESROBOT and MAYBEROBOT components; the company did not provide a firm timeline for how long the new families were under development.