Unmasking Malware NOROBOT, YESROBOT, and MAYBEROBOT by COLDRIVER.pptx
VarinderKumar798484
5 views
19 slides
Nov 02, 2025
Slide 1 of 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Presentation
A presentation on COLDriver malware and its variants.
Slide Content
Varinder Kumar @Cyber24x7 www.thegeektoolbox.com State-Sponsored Malware Surge - Unmasking NOROBOT, YESROBOT, and MAYBEROBOT by COLDRIVER
1. Malware Breakdown: NOROBOT, YESROBOT, MAYBEROBOT Contents 2. Origin & Evolution 3. Indicators of Compromise (IOCs) 4. Defense-in-Depth Strategy 5. Final Thoughts
Malware Breakdown: NOROBOT, YESROBOT, MAYBEROBOT 01
Functionality Initial loader
Fingerprinting
Sandbox evasion Deployment Stage First- stage Stealth Mostly remain undetected and adds or injects executable commands Target Profile NGO staff
Policy advisors Decision Makers NOROBOT
Fingerprinting
Sandbox evasion Deployment Stage First- stage Stealth Mostly remain undetected and adds or injects executable commands Target Profile NGO staff
Policy advisors Decision Makers NOROBOT
Credential harvesting
Browser data exfiltration Functionality Second- stage Deployment Stage Dissidents
Journalists Target Profile YESROBOT
Browser data exfiltration Functionality Second- stage Deployment Stage Dissidents
Journalists Target Profile YESROBOT
Persistence
Lateral movement
Encrypted C2 Third- stage High- value targets with privileged access Functionality Deployment Stage Target Profile MAYBEROBOT
Lateral movement
Encrypted C2 Third- stage High- value targets with privileged access Functionality Deployment Stage Target Profile MAYBEROBOT
Origin & Evolution 02
Emerged just five days after the public disclosure of COLDRIVER’s previous tool, LOSTKEYS. Timeline High operational tempo
Premeditated development Development Characteristics Opted for the more modular and evasive ROBOT suite Abandonment of LOSTKEYS Emergence
Premeditated development Development Characteristics Opted for the more modular and evasive ROBOT suite Abandonment of LOSTKEYS Emergence
Indicators of Compromise (IOCs) 03
HKCU\Software\NOROBOT\Init Registry Key 01 a9f3c1d2... File Hash 02 norobot- checkin[.]ru C2 Domain 03 NOROBOT IOCs
File Path %AppData%\Roaming\yesrobot.exe TLS Fingerprint JA3 hash 771,4865,23- 24- 25 C2 IP 185.234.219.101 YESROBOT IOCs
mayberobot[.]su Encrypted Traffic mayberobot_persist Scheduled Task Via winlogon.exe DLL Sideloading MAYBEROBOT IOCs
Defense-in-Depth Strategy 04
Email Filtering & MFA Block spear- phishing vectors
Enforce multi- factor authentication Application Whitelisting Patch Management Prevent execution of unauthorized binaries Regularly update OS and third- party software to close known vulnerabilities Prevention
Enforce multi- factor authentication Application Whitelisting Patch Management Prevent execution of unauthorized binaries Regularly update OS and third- party software to close known vulnerabilities Prevention
Behavioral Analytics Monitor for unusual registry edits
DLL sideloading
Encrypted outbound traffic Endpoint Detection & Response (EDR) Flag sandbox evasion
Credential scraping behaviors Threat Intelligence Feeds Integrate IOCs into SIEM platforms Detection
DLL sideloading
Encrypted outbound traffic Endpoint Detection & Response (EDR) Flag sandbox evasion
Credential scraping behaviors Threat Intelligence Feeds Integrate IOCs into SIEM platforms Detection
Isolate & Reimage Quarantine infected endpoints
Perform clean OS reinstalls IOC Sweeps Use YARA rules and IOC lists to scan across infrastructure Incident Response Playbooks Tailor response plans for multi- stage malware scenarios Remediation Build Defense in Depth – with multiple layers of defenses for your assets
Perform clean OS reinstalls IOC Sweeps Use YARA rules and IOC lists to scan across infrastructure Incident Response Playbooks Tailor response plans for multi- stage malware scenarios Remediation Build Defense in Depth – with multiple layers of defenses for your assets
Final Thoughts 05
Proactive Threat Hunting Essential to stay ahead of evolving threats Cross-Sector Intelligence Sharing Enhances collective defense capabilities Resilient Security Operations Critical for NGOs, policy institutions, and civil society groups to invest in robust cyber hygiene Proactive Measures
Varinder Thanks
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 5
- Slides 19
- Age 4 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
0 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
0 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
0 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
0 views
21
Know for Certain
0 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
0 views