The Russian state-backed hacking group Star Blizzard (also known as ColdRiver and Callisto) has dramatically escalated its espionage operations. The group abandoned its older LostKeys malware shortly after researchers exposed it, replacing it with new, constantly evolving malware families, including NoRobot and MaybeRobot, deployed through complex, multi-stage "ClickFix" social engineering attacks.
Rapid Retooling and New Malware
Google Threat Intelligence Group (GTIG) researchers noted that only five days after they publicly disclosed the details of the LostKeys espionage malware, Star Blizzard completely discarded it. The group then began aggressively deploying its new generation of malicious tools, collectively referred to as the *Robot families.
The retooling began with NoRobot, a malicious DLL delivered using "ClickFix" social engineering. This technique uses fake CAPTCHA pages to trick targets into executing a command that launches the malware under the guise of an "I am not a robot" verification process. The attackers try to coerce the target into running the malware via rundll32.
Evolving Delivery and Payloads
GTIG reports that NoRobot has been under constant development for months. It initially gained persistence through registry modifications and scheduled tasks, then downloaded a full Python 3.8 installation to deliver the Python-based YesRobot backdoor. However, this Python backdoor's usage was short-lived, likely because the Python installation was too obvious an artifact.
Star Blizzard quickly switched to a PowerShell script called MaybeRobot (identified by Zscaler as SIMPLEFIX). Since early June, a simplified version of NoRobot has been delivering MaybeRobot, which supports three main commands: downloading and executing payloads, executing commands via the command prompt, and executing arbitrary PowerShell blocks.
In a recent refinement, the hackers have shifted to an even more complex delivery chain that splits cryptographic keys across multiple components. Decrypting the final payload requires combining all the pieces correctly, making it far more difficult for security researchers to reconstruct the full infection chain. This complexity is designed to evade anti-malware systems.
GTIG analysts believe the shift to "ClickFix" attacks may be aimed at targets previously compromised through phishing, allowing the hackers to acquire direct, additional intelligence from the information on their devices. Operations involving these new Robot malware families were observed between June and September, reinforcing that the Russian intelligence service-attributed group remains an active and evolving threat despite past disruptions and sanctions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
