COLDRIVER Evolves with New ROBOT Malware Family Post-Exposure

Cyber Security News by CyberSum.net

Published on October 22, 2025 at 03:00 AM

8 sources

Google’s Threat Intelligence Group (GTIG) has uncovered a significant evolution in the operations of COLDRIVER, a state-sponsored threat actor. Within five days of the public disclosure of its LOSTKEYS malware in May 2025, COLDRIVER deployed a new malware ecosystem called the ROBOT family, including NOROBOT, YESROBOT, and MAYBEROBOT. The infection chain begins with a COLDCOPY ClickFix lure disguised as a CAPTCHA test. NOROBOT, the first-stage malware, retrieves payloads from a hardcoded command-and-control server. YESROBOT, a Python-based backdoor, was quickly replaced by MAYBEROBOT, a PowerShell-based backdoor offering greater operational flexibility. GTIG observed multiple NOROBOT variants, highlighting COLDRIVER’s efforts to evade detection while targeting high-value entities.

Also Read

WordPress WooCommerce Sites Hit by Sophisticated Malware

The Wordfence Threat Intelligence Team has uncovered a highly sophisticated malware campaign targeting WordPress e-commerce sites using the WooCommerce plugin. The malware, disguised as a rogue plugin, employs advanced techniques such as custom encryption, fake images to hide payloads, and remote command access. It logs user credentials, establishes backdoors, and injects JavaScript skimmers into checkout pages to steal credit card data. The campaign is attributed to Magecart Group 12, known for persistent credit card skimming activities.

By Cyber Security News by CyberSum.netOctober 31, 2025 at 09:00 PM