ColdRiver Unleashes Advanced Malware in New Espionage Campaign, Google Warns

A Russia-linked hacking group named ColdRiver has unleashed a new wave of cyberattacks using freshly developed malware designed to steal sensitive data from high-value targets. The campaign was recently exposed by Google’s Threat Intelligence Group (GTIG), which has been tracking the group’s evolving tactics over the years. ColdRiver, also known as “Callisto” or “Star Blizzard,” is believed to be operating in alignment with Russian intelligence interests.

According to Google researchers, the new malware is part of a sophisticated espionage toolkit that allows attackers to gather files, capture device information, and monitor ongoing system processes. This marks a shift from the group’s earlier approach, which relied mainly on phishing emails to steal login credentials. The new toolset gives ColdRiver direct access to a victim’s system, making its operations far more dangerous.

Earlier this year, GTIG had identified one of ColdRiver’s earlier tools, a malware known as LOSTKEYS, which was used to exfiltrate files and spy on Western organizations. But once the tool was publicly exposed, the hackers quickly abandoned it and switched to an entirely new framework. This rapid evolution shows how adaptable and persistent the group has become.

The latest campaign features a new downloader named NOROBOT, which secretly installs a PowerShell-based backdoor called MAYBEROBOT. Once inside a target’s device, the malware can execute commands remotely, transfer data, and maintain long-term access for continuous surveillance. Security experts say this setup is part of a larger pattern of stealthy cyber-espionage.

Researchers revealed that the hackers often lure victims through fake websites that display convincing CAPTCHA pages or security verification prompts. When users interact with these pages, hidden commands are executed in the background, allowing the malware to slip silently into their systems. This type of “ClickFix” attack relies heavily on tricking users into trusting what appears to be a normal website.

ColdRiver’s main targets include government officials, NGOs, military veterans, and think tanks—especially those connected to NATO countries and Ukraine. The group focuses on gathering intelligence rather than financial gain, aligning its actions with long-term strategic goals. Google described these attacks as “highly selective” and aimed at espionage rather than disruption.

Experts warn that this new activity shows how ColdRiver is becoming more advanced in blending social engineering with custom-built malware. Its ability to rapidly shift tactics makes traditional defenses less effective. Each exposure leads the group to quickly replace its tools, ensuring it stays one step ahead of defenders.

Cybersecurity professionals recommend that users remain cautious with suspicious links, even those that appear legitimate. Organizations are urged to keep systems updated, monitor unusual network behavior, and educate staff about phishing and malicious downloads. As ColdRiver continues to adapt, awareness and preparedness remain the best defenses against its evolving cyber operations.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news