To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

GTIG observed COLDRIVER deploying a simplified NOROBOT downloader that establishes persistence via a logon script which fetches a heavily obfuscated PowerShell payload (MAYBEROBOT/SIMPLEFIX). MAYBEROBOT implements a hardcoded C2 and a small custom protocol to download/execute payloads, run cmd.exe commands, or execute PowerShell blocks; GTIG documents the malware’s evolution, operational changes to evade detection, and provides IOCs and YARA rules to aid defenders.