YESROBOT
YESROBOT is a Python-based backdoor in COLDRIVER’s (also tracked as Star Blizzard, UNC4057, and Callisto) ROBOT malware suite. Google Threat Intelligence Group described it as an initial, minimal, and cumbersome backdoor that the actor quickly abandoned in favor of MAYBEROBOT. It was observed as part of a multi-stage intrusion chain delivered via fake CAPTCHA / ClickFix-style lures, where an HTML lure led to deployment of the NOROBOT downloader, which then staged YESROBOT as the next payload. Early versions of the chain reportedly downloaded a full Python 3.8 installation onto the victim host to support YESROBOT execution, and GTIG assessed this requirement was a noisy artifact that likely contributed to its short lifespan. YESROBOT uses HTTPS to retrieve commands from a hard-coded command-and-control server and was described as requiring commands to be valid Python. Reported capabilities include downloading and executing files and retrieving documents of interest from compromised systems. GTIG observed only two instances of YESROBOT deployment over a roughly two-week period in late May 2025 before COLDRIVER shifted to the more flexible and extensible PowerShell-based MAYBEROBOT. The broader activity was attributed to Russian state-sponsored espionage operations targeting high-value victims, including policy, NGO, academic, government, think tank, media, dissident, and related sectors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
YESROBOT: An initial, cumbersome Python backdoor that the group quickly abandoned.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"Typically, the threat group deploys malware in phishing attacks..."
Execution
2 techniquesStealth
1 technique"...complex delivery chain that splits cryptographic keys across multiple components. Decrypting the final payload depended on combining the pieces correctly..."
Command and Control
1 technique"download and execute payloads from a specified URL" and "initially retrieved a full Python 3.8 installation for Windows"
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Minimal Python backdoor where operator commands must be valid Python, making common tasks (download/retrieve files) more cumbersome; part of ColdRiver’s updated toolset delivered via fake CAPTCHA/ClickFix chains.
Minimal Python backdoor that uses HTTPS to a hard-coded C2 to retrieve commands; supports downloading/executing files and retrieving documents of interest.
Short-lived Python-based backdoor stage associated with NOROBOT; required dropping a full Python 3.8 runtime on Windows, which was assessed as too noisy/obvious and subsequently replaced by MAYBEROBOT.
Backdoor payload installed after NOROBOT; later replaced by a more advanced variant (MAYBEROBOT).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.