Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Star Blizzard NoRobot and MaybeRobot backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The Star Blizzard malware operation switched from LostKeys to new backdoor tooling, keeping its intrusion chain active after the original payload was exposed. The updated attacks use ClickFix and a malicious DLL called NoRobot to retrieve the next-stage payload and maintain persistence. The operator then deployed MaybeRobot as the final stage, replacing YesRobot with a more flexible PowerShell backdoor. The changes between May and September 2025 show a continued focus on evasion and post-compromise control.

Related Happenings

Hive0163 extortion and ransomware campaign using ClickFix and malvertising

Campaign
First: 12.03.2026 19:02 Last: 12.03.2026 19:02 Sources 1

About this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...

Open Happening

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Open Happening

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Open Happening

Microsoft security patch release for CVE-2025-9491

Security Patch Release
First: 03.12.2025 18:45 Last: 03.12.2025 18:45 Sources 1

About this happening: Microsoft's **November 2025 updates** quietly changed **Windows LNK** handling to mitigate **CVE-2025-9491**, a flaw used to hide malicious commands inside shortcut files. The upd...

Open Happening

TAMECAT PowerShell backdoor deployment and exfiltration

Malware Activity
First: 14.11.2025 16:40 Last: 14.11.2025 16:40 Sources 1

About this happening: **TAMECAT** is being used as a **PowerShell backdoor** to maintain **persistent access** on compromised hosts and move data out through **HTTPS, Discord, and Telegram**. The malwa...

Open Happening

Timeline

  1. 22.10.2025 15:03 2 articles · 7mo ago

    Star Blizzard backdoor chain update

    Technical Analysis Update

    Google disclosed that Star Blizzard shifted away from LostKeys after its June exposure and was using ClickFix-based lures to push victims on Windows toward malicious command execution in the Run box, a DLL loader called NoRobot, and a follow-on backdoor chain that now used MaybeRobot instead of YesRobot. The updated operation relied on malicious DLL execution via rundll32, persistence-oriented payload retrieval, and evasion changes such as rotating infrastructure, file naming conventions, retrieval paths, export names, and DLL names between May and September 2025.

    Show sources
    Open in new tab