COLDRIVER’s Next Move
COLDRIVER went from LOSTKEYS to a full “ROBOT” chain and ClickFix tricks—then started poking linked-device flows. We put 75% on a truly new family or access vector within 12 months.
Executive Overview
Forecast Question
By 2026-10-21, will a top-tier source (Google TAG/GTI, Microsoft Threat Intelligence, UK NCSC, CISA, Zscaler, or Mandiant) publicly attribute to COLDRIVER (aka Star Blizzard/SEABORGIUM/UNC4057/Callisto) either: (A) a new custom malware family, or (B) a materially new initial-access vector, beyond those documented as of 2025-10-21?
Resolution
COLDRIVER is iterating fast. In 2025 alone, top vendors reported both new malware (NOROBOT/YESROBOT/MAYBEROBOT via ClickFix) and new initial-access vectors (WhatsApp/Signal linked-device abuse). Given retooling incentives after exposures and the low cost of adding lightweight backdoors or new social/account-abuse paths, there’s a 75% chance of at least one genuinely new malware family or initial-access vector within 12 months. Watch for fresh YARA/IOCs, distinct delivery chains, and new platform/auth-flow abuses from the listed sources.
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
Forecast Card
Question
By 2026-10-21, will a top-tier source (Google TAG/GTI, Microsoft Threat Intelligence, UK NCSC, CISA, Zscaler, or Mandiant) publicly attribute to COLDRIVER (aka Star Blizzard/SEABORGIUM/UNC4057/Callisto) either: (A) a new custom malware family, or (B) a materially new initial-access vector, beyond those documented as of 2025-10-21?
Resolution
- Resolution Criteria: Yes if at least one listed source publishes a report within the horizon that:
- Attribution threshold: explicitly attributes to COLDRIVER/Star Blizzard (or mapped aliases) with moderate or higher confidence;
- “Custom malware family” = a distinct codebase not previously reported for COLDRIVER, evidenced by new C2 protocol and/or functionality with non-trivial code differences (e.g., new language/loader/backdoor) beyond recompile/rebrand/config-only changes. Non-qualifying examples: renamed/repacked binaries; C2/domain swaps; minor obfuscation; parameterization only; loader stubs with ≥70% code reuse.
- “Materially new initial-access vector” = a novel-to-COLDRIVER pathway class, such as abuse of a new platform or auth flow (e.g., linked-device/OAuth/device-code abuse, new mobile messenger, SaaS/OAuth consent), or a human-in-the-loop social-engineering method that changes the mechanism of account/device compromise. Non-qualifying examples: new lure themes; same email-credential-phish chain; minor “ClickFix” UI changes; phishing kit reskins.
- Exclusions: reports listing only iterations of LOSTKEYS, NOROBOT/YESROBOT/MAYBEROBOT, ClickFix, or WhatsApp/Signal linked-device abuse without a materially new mechanism.
- Sources must be among the list and publicly accessible.
- Horizon: 2026-10-21 (America/New_York)
- Probability (Now): 75% | Log-odds: 1.10
- Confidence in Inputs: Medium
- Base Rate: 50% from year-by-year tally (2022–2025): 2022 No; 2023 No; 2024 Yes (SPICA malware, TAG); 2025 Yes (new ROBOT chain; WhatsApp/Signal-linked-device vector) [see references]
AlphaHunt - Your CTI Co-Pilot
Analysts don’t need another dashboard — they need intelligence where they already work. AlphaHunt lives inside Slack, turning noise into signal, alerts into foresight, and questions into answers. Because the smartest teams don’t wait for incidents — they prevent them.
Ready to level up your intelligence game?
Top Drivers
- 2025 retooling pace: GTI documented rapid pivot from LOSTKEYS (May) to NOROBOT/YESROBOT/MAYBEROBOT (Oct); Zscaler independently reported BAITSWITCH/SIMPLEFIX chain.
- Expanded vectors: Microsoft (Jan 2025) on WhatsApp linked-device abuse; GTI (Feb 2025) on Signal linked-device campaigns.
- Defensive pressure: multi-vendor exposures and takedowns incentivize innovation to restore access.
- Low dev cost/high payoff: lightweight loaders/backdoors and social engineering enable frequent “new” families/vectors.
Scenarios
- New custom malware family publicly attributed: 40%
- Materially new initial-access vector (e.g., new OAuth/device-code flow, additional messenger platform) without new family: 30%
- Only incremental iterations of existing chains; no material novelty: 30%
Signals
▲ Within 90 days, any listed source publishes: (i) YARA/IOCs for a COLDRIVER tool with novel protocol/language/backdoor flow not matching LOSTKEYS/ROBOT chain; or (ii) a report on a new platform/auth-flow abuse (e.g., new OAuth grant/device-code, new messenger beyond WhatsApp/Signal).
▲ Two or more independent vendors corroborate a new COLDRIVER infection chain with distinct delivery/execution stages.
▲ Surge of COLDRIVER tasking during major geopolitical events (elections/summits) correlated with new TTPs within 60 days.
▼ 90+ days without fresh COLDRIVER reporting from listed sources post-major exposure.
▼ Public law-enforcement action naming operators/infrastructure with sustained disruption (>60 days).
Appendix
References
- https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver
- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
- https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
AlphaHunt
Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.
(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))
(c) 2025 CSIRT Gadgets, LLC
