Russia-Linked Hacker Group ColdRiver Deploys Aggressive New Malware Chain Disguised as CAPTCHA
- Cyber Jill
- Oct 22
- 4 min read
A Russian-linked hacking group notorious for espionage against Western governments has returned with a faster, stealthier, and more aggressive malware campaign—this time disguised as a simple “I’m not a robot” CAPTCHA.
Google’s Threat Intelligence Group (GTIG) has identified a new, modular malware suite developed by ColdRiver—also tracked as Star Blizzard, Callisto, and UNC4057—that replaces the group’s previous toolset known as LostKeys. According to GTIG’s October 20 report, the new malware cluster marks the group’s most assertive campaign to date and underscores a rapid escalation in both development speed and operational sophistication.
From Credential Phishing to Persistent Backdoors
Active since at least 2017, ColdRiver has historically focused on credential-harvesting campaigns targeting NGOs, former military and intelligence officials, and political entities connected to NATO. The group’s operations have previously drawn condemnation from the UK’s National Cyber Security Centre for attempts to interfere in domestic politics and democratic processes.
But Google’s latest findings suggest ColdRiver has evolved from phishing for passwords to deploying a layered malware chain capable of deep system compromise and long-term persistence.
The new toolkit—internally codenamed NoRobot, YesRobot, and MaybeRobot—uses a “ClickFix-style” phishing lure. Targets are shown a fake CAPTCHA page prompting them to download a file supposedly needed to verify they’re “not a robot.” The file, in reality, is a malicious DLL executed through rundll32.exe with an export function named humanCheck—a deceptive detail meant to reinforce the CAPTCHA illusion.
Inside the “Robot” Malware Family
NoRobot serves as the initial loader, fetching and decrypting additional components using a split-key cryptography method that hides pieces of the decryption key across the Windows Registry and downloaded files. Once assembled, it retrieves a self-extracting Python 3.8 installer and encrypted Python scripts that launch the second-stage backdoor, YesRobot.
GTIG found that YesRobot maintained HTTPS communications with hardcoded command-and-control servers but was quickly abandoned—likely because the Python runtime made it easier to detect.
By June 2025, ColdRiver had shifted to MaybeRobot, a leaner PowerShell-based backdoor that executes remote commands, downloads payloads, and persists through user login scripts. Unlike earlier tools, MaybeRobot’s flexible protocol allows operators to issue dynamic instructions while minimizing forensic footprints.
Rapid Iteration and Adaptive Tradecraft
Between June and September 2025, GTIG observed ColdRiver alternating between simple and complex NoRobot infection chains, rotating filenames, export functions, and domains to hinder analysis. This constant churn, researchers say, reflects an unusually high tempo of iteration—an effort to stay ahead of defenders and rebuild after public disclosures.
The campaign aligns with reporting from Zscaler, which tracks the same malware families under the aliases BaitSwitch and SimpleFix. The takeaway: ColdRiver isn’t just evolving—it’s operationalizing that evolution in real time.
Experts: ColdRiver Weaponizing the CAPTCHA Symbol
Mayank Kumar, Founding AI Engineer at DeepTempo, said the group’s latest tactics represent a disturbing twist on one of the internet’s most familiar trust signals:
“The ‘I am not a robot’ CAPTCHA has been a long-standing symbol of web security—however now it’s being weaponized in a new campaign by the Russian state-sponsored threat actor Star Blizzard. Also known as ColdRiver and Callisto, the group succeeds by deploying their deceptive CAPTCHA challenges as a lure to deploy advanced malware. Then this attack vector delivers two new variants, NOROBOT and MAYBEROBOT, designed for remote command execution, secondary payload delivery, and data exfiltration.”
Kumar added that the group’s agility poses a serious challenge for defenders:
“The actor demonstrated rapid adaptation, abandoning its ‘LostKeys’ malware less than a week after public disclosure and pivoting immediately to the more aggressive ‘Robot’ toolset. This behavior shows clear markings of a calculated strategy to re-engage previously compromised individuals, utilizing stealthier methods to extract further intelligence.”
The Bigger Picture: Escalation, Not Experimentation
GTIG analysts emphasize that ColdRiver’s shift from credential theft to modular backdoors represents a strategic pivot—one that mirrors Russia-linked groups’ broader move toward persistent espionage infrastructure rather than one-off access campaigns.
By weaponizing trust cues like CAPTCHA pages, ColdRiver blurs the boundary between social engineering and technical compromise, exploiting human reflexes as much as software vulnerabilities.
How to Defend Against “Robot” Campaigns
Security experts recommend a multi-layered defense strategy:
Train employees to spot fake “verify you’re human” prompts that request downloads.
Monitor rundll32.exe activity, especially DLLs exporting functions like humanCheck.
Audit login scripts and scheduled tasks for signs of persistence via PowerShell.
Enable behavioral detection, not just signature-based scanning, to catch dynamic C2 activity.
Continuously track threat intelligence feeds for new indicators of compromise linked to NoRobot and MaybeRobot infrastructure.
The Bottom Line
ColdRiver’s “Robot” campaign is more than a clever ruse—it’s a sign that state-aligned hackers are adapting their tactics at machine speed. By repurposing web-security rituals as attack vectors, the group shows that even the most ordinary browser interactions can become instruments of espionage.
As Kumar warned, a “proactive defense posture is essential—maintained through continuous monitoring of threat intelligence for the latest indicators of compromise, techniques, and procedures.”
In other words: being human, not a robot, may no longer be enough.
