High-Scale SIEM Migration across 70TB/day and 4,000 detections
Threat Advisory: Desktop Hypervisor Threats
UltraViolet Cyber Acquires Black Duck’s Application Security Testing Services Business
UltraViolet Cyber Named to Inc. 5000 List of America’s Fastest-Growing Private Companies in 2025
Reports
Threat Advisory: F5 Networks Breach
F5 breach exposes BIG-IP source code and zero-days. See TIDE’s guidance for defending against downstream risk and supply chain compromise.
Read More
Reports
Threat Advisory: COLDRIVER
UltraViolet Cyber
October 24, 2025
Table of Contents
Executive Snapshot
COLDRIVER is a Russian state-linked espionage group that continues to evolve from credential theft into full-scale endpoint compromise using tailored phishing, PowerShell backdoors, and modular malware. Its operations target government, defense, research, and state policy networks across Western nations. UltraViolet Cyber (UltraViolet) Threat Intelligence and Detection Engineering (TIDE) Team suggests the following six action items to protect against this evolving threat:
- Enforce Multi-Factor Authentication (MFA): Protect all executive, administrative, and remote-access accounts with MFA to prevent credential reuse or phishing-based takeovers.
- Restrict PowerShell and Script Execution: Implement strict policies for PowerShell use, block unsigned scripts, and monitor for abnormal script execution on endpoints.
- Enhance Phishing Awareness for High-Risk Personnel: Conduct targeted training for executives, policy staff, and researchers most likely to be targeted through spear-phishing.
- Segment and Harden Networks: Isolate executive, research, and production systems to contain intrusions and prevent lateral movement once an endpoint is compromised.
- Apply Continuous Patching and Threat Intel Integration: Rapidly apply security updates and integrate UltraViolet TIDE Teams Threat Intelligence feeds to stay ahead of COLDRIVER’s evolving toolsets.
- Establish a Rapid APT Response Playbook: Maintain a well-rehearsed incident response plan specific to APT intrusions to minimize dwell time, contain breaches, and ensure swift recovery.
What UltraViolet Cyber is Doing
- Tracking state-sponsored, ideologically based, and financially driven globals Threat Actor Groups, their TTPs and IOCs, and understanding which industry verticals they target most often.
- Parsing available victim dump data for any social, financial, business, or technical relations to UltraViolet Clients and partner organizations.
- Aggregating threat intelligence from myriad sources and applying the most up-to-date knowledge to proactive threat hunting and response.
TIDE Team Analysis
COLDRIVER, also known as UNC4057, Star Blizzard, or Callisto, is a Russia-linked advanced persistent threat group that has conducted long-term espionage operations against Western governments, NGOs, and policy organizations. The group’s activities align closely with Russian state interests, particularly in intelligence collection and influence operations against NATO-aligned nations. While COLDRIVER has historically relied on credential theft and phishing, recent research from Google’s Threat Intelligence Group (GTIG) highlights the group’s expansion into more sophisticated malware-based operations using a growing set of custom-built tools.
Strategically, COLDRIVER operates in support of Russian intelligence priorities. Its targeting demonstrates an intent to infiltrate and monitor entities that influence political, defense, and policy decisions across Europe and North America. The group’s operations are not motivated by financial gain but by access to sensitive information, situational awareness, and influence over adversarial narratives. GTIG’s identification of three new malware families—NOROBOT, YESROBOT, and MAYBEROBOT—suggests a shift from purely credential-based theft toward sustained endpoint compromise and remote command execution. This change marks a maturation of the group’s operational capabilities and reflects broader geopolitical escalation tied to ongoing conflicts and sanctions environments.
COLDRIVER’s targeting methodology has remained consistent, focusing on individual accounts and high-value networks. The group frequently uses spear-phishing campaigns disguised as legitimate correspondence, often exploiting personal email accounts rather than corporate systems. Recently, these lures have been refined with deceptive user interface elements such as CAPTCHA prompts designed to trick users into executing malicious PowerShell or DLL commands; also known as ClickFix. The infection chain commonly begins with a malicious HTML file that downloads a DLL loader (NOROBOT), which in turn deploys additional payloads like YESROBOT and MAYBEROBOT. The introduction of modular PowerShell and Python-based backdoors shows an evolution toward persistence and stealth within infected systems.
The group’s tooling evolution illustrates deliberate adaptation to defensive countermeasures. Earlier campaigns employed a simple file-stealer called LOSTKEYS to exfiltrate documents and system data. In contrast, the latest implants use more advanced delivery chains and encryption methods, allowing flexible command execution and remote control. NOROBOT acts as a loader for follow-on payloads, YESROBOT serves as a lightweight backdoor for limited data retrieval, and MAYBEROBOT functions as a full-featured PowerShell backdoor capable of executing arbitrary commands and retrieving additional payloads. The transition from simple stealers to multi-stage implants represents a notable increase in operational sophistication and intent.
Recent analysis by GTIG shows that COLDRIVER’s operations are highly selective rather than large-scale, indicating that their focus is on quality of compromise rather than breadth. The group’s infection chains leave discernible artifacts, such as rundll32-based DLL execution and temporary Python installations, yet these artifacts are often short-lived due to the rapid rotation of malware variants. This adaptability, combined with the use of encrypted communications and dynamic command-and-control infrastructure, makes detection and attribution more challenging. The operational tempo, indicated by the quick replacement of exposed tools, underscores an active and well-supported threat actor maintaining agility under pressure.
For enterprises and government-linked organizations, the risk presented by COLDRIVER lies in its focus on human-driven access points and supply chain infiltration. Executives, researchers, and policy personnel are at heightened risk due to the group’s preference for targeting personal communications outside corporate security boundaries. This creates a novel challenge where traditional enterprise defenses may not suffice. Organizations must focus on advanced detection methods such as behavioral analytics, endpoint monitoring capable of identifying PowerShell and rundll32 misuse, and comprehensive phishing awareness programs designed for senior leadership and staff with privileged information access.
At a strategic level, COLDRIVER’s recent escalation signals a trend among state-sponsored groups toward blending espionage with low-visibility intrusion tactics. By deploying modular, rapidly updated malware families, they maintain persistence across environments that previously could only be exploited through credential theft. This evolution mirrors broader global patterns in cyber-espionage, where advanced actors emphasize stealth, modularity, and continuous adaptation over overt destructive activity. The growing use of living-off-the-land techniques and custom tooling demonstrates an intent to operate below traditional detection thresholds while still achieving strategic collection goals.
Security leadership should treat COLDRIVER as a persistent and evolving intelligence threat. GTIG’s findings show that the group is moving quickly to close capability gaps, making continuous visibility, adaptive detection, and rapid incident response critical. Organizations are encouraged to prioritize high-value identity protection, enhance EDR coverage for PowerShell and DLL execution anomalies, conduct proactive threat hunting, and strengthen security awareness among personnel most likely to be targeted. By assuming that advanced actors like COLDRIVER are already probing their networks and individuals, enterprises can shift from reactive defense toward an anticipatory posture, reducing both exposure and dwell time in future espionage campaigns.
Why It Matters
State-sponsored threat groups matter because they represent some of the most capable, persistent, and well-funded adversaries in the cyber domain. These actors operate under the direction or influence of national governments, using cyber operations to achieve strategic goals that extend far beyond financial gain. Their missions often focus on espionage, disruption, and influence, targeting organizations that hold political, economic, or technological value. Unlike criminal groups motivated by profit, state-aligned actors view network compromise as an extension of geopolitical power, where data theft and infrastructure infiltration become instruments of statecraft.
These threats also highlight the blurred boundary between government and private sector targets. State-sponsored actors frequently target private companies, research institutions, and critical infrastructure operators that play indirect but vital roles in national security. Supply chain infiltration, intellectual property theft, and manipulation of trusted communication channels have become common tools of influence and control. Organizations that may not consider themselves strategic assets—such as NGOs, policy institutes, or academic networks—are often exploited as soft targets for intelligence gathering or geopolitical leverage. Their compromise enables adversaries to shape narratives, forecast policy decisions, and undermine trust in global institutions.
Groups like COLDRIVER exemplify how state-directed adversaries adapt rapidly to defensive measures, continuously evolving their tradecraft and tooling to maintain access and evade detection. The lesson extends beyond any single actor: national-level cyber threats will continue to grow in both complexity and subtlety, exploiting human trust and technology’s interconnectedness. To defend against this class of adversary, organizations must shift from reactive cybersecurity toward intelligence-driven defense—where identity protection, behavioral analytics, and rapid incident response are treated as strategic imperatives rather than technical afterthoughts.
How to Respond
- Strictly adhere to CyberSecurity Fundamentals and ensure all personnel undergo annual phishing and social engineering training. Speak with your UltraViolet Cyber TAM Representative to schedule a live phishing engagement.
- Verify that email link and content validation services, such as Microsoft SafeLinks, are configured to finish screening links before allowing end users to proceed to the web content.
- Perform annual tech refresh reviews to gain a holistic understanding of your infrastructure. Speak with your UltraViolet Cyber TAM Representative to schedule a Red Team or Purple Team engagement to gain insight into the vulnerabilities in your environment.
What UltraViolet Cyber is Doing
- Tracking state-sponsored, ideologically based, and financially driven globals Threat Actor Groups, their TTPs and IOCs, and understanding which industry verticals they target most often.
- Parsing available victim dump data for any social, financial, business, or technical relations to UltraViolet Clients and partner organizations.
- Aggregating threat intelligence from myriad sources and applying the most up-to-date knowledge to proactive threat hunting and response.
ADDITIONAL INSIGHTS
READY TO GET STARTED?
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.