At TecnetOne, we’re always on top of the latest cyber threats—and one that’s caught our attention in recent weeks is the evolving activity of the hacker group Star Blizzard, backed by the Russian state.
This group has ramped up its operations with constantly shifting malware families like NoRobot and MaybeRobot, integrated into complex attack chains that start with ClickFix-style social engineering campaigns designed to trick users from the very first click.
Also known as ColdRiver, UNC4057, or Callisto, Star Blizzard stopped using the LostKeys malware less than a week after a technical analysis of it was published and quickly shifted to deploying tools from the Robot family with more aggression than ever.
According to a May report from Google’s Threat Intelligence Group (GTIG), LostKeys was used in targeted attacks against Western governments, journalists, think tanks, and NGOs. All signs point to Star Blizzard continuing to refine its tactics to compromise high-profile targets using increasingly sophisticated methods.
The malware used by the group had a clear objective: cyber espionage. It was designed to steal specific data, searching for files based on a predefined list of extensions and folders that told it exactly what to exfiltrate from the infected system.
However, after GTIG researchers published their technical analysis of LostKeys, the ColdRiver group abandoned that tool entirely. Within a week, they were already deploying new malware variants—among them NOROBOT, YESROBOT, and MAYBEROBOT—demonstrating a very fast ability to adapt.
According to GTIG experts, the shift began with NOROBOT, a malicious DLL delivered via ClickFix-style attacks. These attacks led victims to fake webpages featuring “I’m not a robot”-style CAPTCHAs that seemed harmless but actually tricked users into manually executing the malware.
The trick was to make the victim believe they needed to complete a CAPTCHA verification to access content or proceed with a process. By clicking, they unknowingly triggered a rundll32 command that launched the malicious NOROBOT DLL as if it were part of a legitimate validation process.
This type of tactic shows how cybercriminals are refining their methods—combining social engineering, visual deception, and manual execution to bypass traditional defenses.
Página ClickFix utilizada para entregar NOROBOT (Fuente: Google)
Read more: Cyberattacks in Mexico: Real Cases and How to Protect Yourself
NOROBOT malware has been actively evolving from May through September, according to reports from Google. During that time, researchers have analyzed it along with its payload—a backdoor designed to provide remote access to the compromised system.
One of NOROBOT’s early tactics for ensuring persistence was modifying the Windows registry and creating scheduled tasks, allowing it to remain active even after system reboots or shutdowns.
In its initial versions, NOROBOT downloaded and installed a full copy of Python 3.8 for Windows. The goal? To lay the groundwork for executing another backdoor—this one written in Python—known as YESROBOT.
However, this strategy didn’t last long. Experts believe that the visible installation of Python was too conspicuous to go unnoticed, prompting the group behind the malware to quickly pivot.
They abandoned YESROBOT and replaced it with a stealthier backdoor: a PowerShell script identified as MAYBEROBOT. This variant is lighter, harder to detect, and doesn’t require additional software to be installed on the system, making it a much quieter and more effective option for maintaining access without raising suspicion.
Since early June, a much more streamlined version of NOROBOT has been detected, with the primary goal of deploying MAYBEROBOT—a lightweight yet functional backdoor capable of performing three key actions:
Downloading and executing files from a specific URL
Launching commands directly from the command prompt
Running custom blocks of PowerShell code
Once its task is complete, MAYBEROBOT sends the results to several command-and-control (C2) servers. This allows the ColdRiver group to confirm whether the operation succeeded and if access was successfully established inside the victim’s system.
This lighter version aims to remain under the radar while still effectively maintaining remote control without triggering many security alerts.
Current ColdRiver Attack Chain (Source: Google)
According to Google, the development of MAYBEROBOT appears to have stabilized, and now the threat group's efforts are more focused on making NOROBOT quieter, more efficient, and much harder to detect.
Researchers have observed an interesting evolution in the group’s strategy: they moved from using complex payloads to simpler versions—and then back to a more sophisticated structure. In this latest approach, the malware is delivered through a more elaborate infection chain, where cryptographic keys are split into multiple fragments. Decrypting the final payload is only possible if all the pieces are downloaded correctly and assembled in the exact order.
According to Google’s Threat Intelligence Group (GTIG), this was likely done to complicate forensic analysis and prevent researchers from easily reconstructing the full attack chain. If even one component is missing, the malware fails to execute properly—protecting the attackers from potential exposure.
Between June and September, multiple attacks have been documented in which ColdRiver delivered NOROBOT and its malicious payloads to specific targets. These include government organizations, research groups, and other high-value entities.
ColdRiver typically deploys its malware through carefully targeted phishing campaigns. However, one aspect that still puzzles researchers is why they’re using ClickFix-style attacks, which employ fake “I’m not a robot” captchas to deceive users.
One possible explanation is that these new methods are being used on victims whose devices were already compromised through earlier phishing attacks. If the attackers have already stolen credentials and emails, they could be redirecting those same victims to new attacks to extract even more information—directly from their local devices.
Read more: How to Implement an Effective Cybersecurity Awareness Program
At TecnetOne, we recommend following these best practices to protect yourself from threats like NOROBOT, MAYBEROBOT, and other advanced social engineering-based attacks:
Be wary of captchas that download files: A legitimate CAPTCHA should never trigger a download. If it does, close the page immediately.
Keep your system and software up to date: Make sure your operating system, browser, antivirus, and any other critical tools are always current. Many attacks exploit known vulnerabilities.
Use security solutions with behavior-based detection: Technologies like EDR (Endpoint Detection and Response) can detect new threats that traditional antivirus tools might miss.
Avoid clicking on suspicious or unexpected links: Always verify emails, senders, and links before clicking—especially if you weren’t expecting them.
Train your team or environment in basic cybersecurity: Most successful attacks start with human error. Phishing awareness and digital hygiene training are essential.
Limit access and apply the principle of least privilege: Only grant users the permissions they truly need. If a breach occurs, this helps reduce the impact.
Monitor PowerShell and rundll32 usage: These legitimate Windows tools are often exploited by attackers. Unusual activity should be investigated.
Back up your data regularly and store it offline: An up-to-date, offline backup can be a lifesaver in the event of infection or data loss.
At TecnetOne, we believe a strong defense starts with prevention and awareness. Stay informed, apply these practices, and respond quickly to any signs of trouble. If you need advice or security support, we’re here to help.
Additionally, to support security teams in detecting and containing these threats, Google’s report includes a series of Indicators of Compromise (IoCs) and YARA rules. These tools can help identify malicious activity associated with NOROBOT, MAYBEROBOT, and other variants used in this campaign.