Overview
- Google Threat Intelligence Group identified NOROBOT, YESROBOT, and MAYBEROBOT as a connected malware set that replaced LostKeys within days of its public exposure.
- The attacks begin with a ClickFix fake CAPTCHA lure, tracked as ColdCopy, that gets victims to execute a NOROBOT DLL via rundll32.exe, sidestepping script-monitoring defenses.
- YESROBOT, a minimal Python backdoor delivered by NOROBOT, was used for roughly two weeks before being dropped because installing Python 3.8 on Windows was too conspicuous.
- MAYBEROBOT has since become the stable follow-up implant, providing three core functions to download and run files, execute cmd.exe commands, and run PowerShell blocks.
- Researchers observed rapid, continual tweaks to NOROBOT—rotating infrastructure, alternating simple and complex chains, and split-key cryptography—with Zscaler corroborating the tools under BAITSWITCH and SIMPLEFIX, and Google publishing IoCs and YARA rules for defenders.