ColdRiver's "I Am Not a Robot" ClickFix Attack Campaign

In 2025, cybersecurity researchers uncovered a new and unusual scam from a Russian hacking group known as ColdRiver. The group, also known as Star Blizzard or the Callisto Group, had discovered a way to exploit one of the Internet's most familiar security tools, the "I am not a robot" CAPTCHA, and turn it into a malware-spreading weapon.

The discovery, initially made by Zscaler and then corroborated by the Google Threat Intelligence Group, revealed just how creative and manipulative modern cybercriminals have become. ColdRiver's operation employed a combination of social engineering, technical trickery, and psychological manipulation to infect computers belonging to government officials, academics, and defense researchers across the West.

At the heart of the campaign was a simple idea: exploit people's trust in common website features. Victims received phishing emails that appeared to be routine communications, file-sharing requests, security alerts, or messages from legitimate organizations. These emails contained links that led to fake web pages closely resembling authentic login screens.

When visitors landed on the page, they saw a familiar checkbox labeled "I am not a robot." Most users clicked it without hesitation, expecting a regular CAPTCHA test. Instead, that click triggered a download of a malicious ZIP file disguised as a harmless document.

This technique is a variation of the popular "ClickFix" technique, which has been covered several times by this publication already. The downloaded file contained Windows executables masquerading as PDFs or text files. If opened, they installed ColdRiver's custom malware on the victim's system. The attack works because it looks ordinary. CAPTCHA boxes are so ubiquitous that most people barely notice them. ColdRiver exploited that reflex, turning a routine security prompt into a delivery system for malware.

Researchers found that these malicious pages were hosted on compromised WordPress websites, often taken over by exploiting outdated plugins or weak passwords. The pages changed frequently, disappearing or relocating within hours. This constant movement made it difficult for cybersecurity teams to track and block them.

According to analysts, the campaign was not random. ColdRiver targeted individuals and institutions connected to Western governments, NATO, and policy research groups. Namely, organizations that often handle sensitive information related to politics.
Researchers at Google later discovered that the "ClickFix" campaign was designed to deliver three connected pieces of malware named NOROBOT, YESROBOT, and MAYBEROBOT. Together, they formed a layered system for espionage: one to gain access, one to steal data, and one to maintain control.

NOROBOT was the first stage of infection. Once launched, it quietly gathered details about the computer, such as operating system, user privileges, and network connections, and sent them to ColdRiver's command servers. Its primary purpose was to download and install other malware components. NOROBOT also checked if it was running inside a virtual machine or security sandbox, which researchers use to analyze malware. If it detected such an environment, it shut down to avoid exposure.

ColdRiver built NOROBOT with flexible communication tools that made it hard to block. The malware used randomized domain names to contact its control servers, ensuring the group could quickly rebuild its infrastructure if security companies attempted to take it down.

After NOROBOT established access, it often downloaded YESROBOT, a second-stage tool focused on collecting information. YESROBOT searched for saved passwords, cookies, and session tokens from browsers and email clients. It could also take screenshots, copy clipboard data, and steal authentication details used for cloud services or VPNs.

Researchers noted that YESROBOT disguised its traffic to appear as regular internet activity, thereby helping it evade detection systems. It compressed stolen files into encrypted archives before sending them back to ColdRiver. Its modular design meant the hackers could update or extend its features remotely, adding new abilities like key logging or lateral movement across networks.

The third component, MAYBEROBOT, gave ColdRiver long-term remote access to infected systems. It established persistence mechanisms, such as hidden registry changes and scheduled tasks, to ensure it would relaunch even after reboots.

Once active, MAYBEROBOT allowed the hackers to execute commands, install new malware, or use the infected computer as a launch point to move deeper into an organization's network.

Google's threat analysts compared MAYBEROBOT to an earlier ColdRiver tool known as Spica, but with stronger encryption and stealth features. Together, the three malware families formed a coordinated espionage toolkit, demonstrating the group's technical sophistication and professional organization.

ColdRiver as a Persistent Threat

The CAPTCHA campaign was not an isolated attack but part of a much longer story. ColdRiver has been active for nearly a decade, continually adapting its methods and tools.

The group emerged around 2015, initially focusing on phishing campaigns that targeted diplomats and defense officials in Europe. Its early tactics were simple; using emails impersonating journalists or researchers that asked victims to log into fake websites. Over time, ColdRiver's techniques became increasingly convincing and tailored to each target.

By 2020, Western intelligence agencies had identified the group as a state-aligned actor supporting Russia's Federal Security Service (FSB). Its operations frequently coincided with major political or military events involving Russia and NATO.

In several campaigns, ColdRiver stole and leaked sensitive information to influence public opinion or embarrass Western officials. Security experts view the group as part of Russia's broader strategy of information warfare, blending hacking, propaganda, and psychological manipulation to advance national interests.

ColdRiver's infrastructure has been disrupted multiple times by Microsoft, Google, and the U.S. Department of Justice. In 2023, Microsoft and the DOJ jointly seized dozens of spear-phishing domains used by the group to impersonate NATO and government login portals. Those takedowns temporarily hindered ColdRiver's activity but didn't stop it.

The threat actors rebuilt their infrastructure, registered new domains, and created more advanced malware. Google's researchers later identified the group's Spica backdoor, which featured advanced encryption and command execution abilities.

That same design philosophy carried into the ClickFix campaign and the ROBOT malware family. Each new operation shows refinements in deception and persistence, proving that ColdRiver learns from every disruption.

What sets the group apart is not just its technical skill but its psychological precision. Instead of relying on complicated exploits, ColdRiver preys on human behavior, trust, habit, and familiarity. A CAPTCHA, a login page, or a document download can all become tools of manipulation when combined with clever engineering.