The Russian state-backed hacking group Star Blizzard, also known as ColdRiver, has rapidly evolved its malware arsenal, deploying new families like NoRobot and MaybeRobot through sophisticated "ClickFix" social engineering attacks. These campaigns often begin with fake "I am not a robot" CAPTCHA pages that trick targets into executing malicious commands. The group abandoned its previous LostKeys malware just days after it was publicly documented by researchers, demonstrating a swift adaptation cycle.
The infection chain typically starts with the NoRobot malware, a DLL file that establishes persistence and initially fetched a full Python installation to deploy a backdoor called YesRobot. However, the group soon shifted to a simpler PowerShell-based backdoor named MaybeRobot, which can download payloads, execute commands, and run arbitrary scripts. This backdoor communicates with a command-and-control server to report results and receive further instructions.
Google Threat Intelligence analysts note the group is continuously refining its tools for greater stealth, recently using a complex delivery chain that splits cryptographic keys across components to hinder analysis. These attacks, targeting Western governments, NGOs, and journalists for espionage, have been active from June through September. Despite previous disruptions and sanctions, ColdRiver remains a persistent and evolving cyber-espionage threat.
Read more...