Overview
- GTIG reports the group abandoned LOSTKEYS and began deploying the new ROBOT family five days after the prior malware was disclosed.
- Attacks now start with fake CAPTCHA pages that persuade targets to run a NOROBOT DLL via rundll32.exe to stage follow-on payloads.
- A short-lived Python backdoor dubbed YESROBOT appeared twice in late May before operators moved to MAYBEROBOT, a PowerShell implant with three commands for download-and-execute, cmd.exe invocation, and PowerShell execution.
- Researchers observed continuous NOROBOT iteration from June through September, including rotating infrastructure, changing artifact names, and split-key encryption with registry-stored components to frustrate detection and analysis.
- Google published indicators of compromise and YARA rules, noted overlap with Zscaler’s BAITSWITCH/SIMPLEFIX tracking, and said the operations align with long-running espionage attributed to a Russia-linked actor targeting high-value Western organizations.