Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Russian Intel Hackers Flexible in Face of Detection
A Russian state-sponsored cyberespionage group known for targeting policymakers rapidly retooled its malware arsenal and repeatedly simplified then re-complicated its delivery chain to evade detection, according to new research published Monday.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
The hacking group Google’s Threat Intelligence Group tracks as Coldriver began phasing out a Python backdoor in favor of a leaner PowerShell variant dubbed Mayberobot following the public disclosure of its Lostkeys malware in May. Five days later, the group was already operationalizing new malware families and using them more aggressively than in previous campaigns, Google found.
The new toolkit uses fake Captcha pages to trick victims into manually launching a disguised program file, a technique known as “ClickFix.” It allows hackers to install malware in stages while concealing its core components across multiple downloads (see: ClickFix Attacks Increasingly Lead to Infostealer Infections).
Researchers said the rapid shift to this more deceptive delivery method, along with the use of cryptographic key-splitting, reflects a major shift in Coldriver’s tactics and shows how quickly the group can adapt to exposure and defensive countermeasures.
“The shift back to more complex delivery chains increases the difficulty of tracking their campaigns,” the researchers wrote. “This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
U.S. and British authorities in late 2023 linked Coldriver to Russia’s Federal Security Service. Google in 2024 warned the group was shifting from credential-theft phishing to malware delivery. Google researchers reported at the time that the hackers were embedding malicious code into fake PDF documents and convincing targets to download a “decryption” utility that secretly installed a backdoor onto affected devices (see: Russian FSB Hackers Deploy New Lostkeys Malware).
Researchers say the toolkit splits encryption keys across multiple files and registers entries to hinder tracking and analysis.
Google said all identified malicious files and domains tied to the campaign have been added to its Safe Browsing database, and users targeted through Gmail or Workspace received government-backed attacker alerts.
“As Coldriver continues to develop and deploy this chain we believe that they will continue their aggressive deployment against high-value targets to achieve their intelligence collection requirements,” the researchers wrote.
