The Russia-linked hacking group COLDRIVER has significantly increased its operation tempo. They’ve released three new families of malware. Since May 2025, the group has repeatedly and rapidly iterated on its malware further indicating a higher “operations tempo.” COLDRIVER’s malware has been the deciding factor in many successful attacks. What started as extensive recon ultimately triggered the deployment of information-stealing malware called LOSTKEYS.
The development of LOSTKEYS was apparent in attacks seen in January, March, and April of 2025. Aside from directly compromising the systems, these intrusions established a basis for more advanced malware families such as BAITSWITCH and SIMPLEFIX. Zscaler ThreatLabz has been closely monitoring these trends and we’ve given NOROBOT and MAYBEROBOT the titles of these two malware families.
Increased Operational Tempo
COLDRIVER’s recent endeavors reflect a sea change in their operational tactics. The group’s malware has released through several versions, with each one making significant improvements to its complexity and capabilities. Cybersecurity experts are extremely alarmed at this incident’s escalation. They caution that COLDRIVER’s newfound aggressiveness may represent even more significant dangers for institutions of all types.
Wesley Shields, a cybersecurity analyst, remarked on the evolution of NOROBOT, stating, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
COLDRIVER is not merely intent on executing attacks. The dynamic nature of its operations means that it constantly tinkers with its approaches to avoid detection mechanisms. Stated in policy documents, this recent development sends a strong signal that the government is intending to maintain intelligence collection against targeted, high-value targets.
Deployment of Information-Stealing Malware
The recent deployment of LOSTKEYS has sounded serious alarms with the global cybersecurity community. According to reports, this information-stealing malware was deployed during a wave of attacks over the summer. Their infiltration enabled COLDRIVER an ability to extract sensitive data from compromised networks.
Openbaar Ministerie (OM), the Dutch public prosecution service, has underscored the seriousness of this data breach. They stated, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
These revelations serve as a stark reminder of how stolen data can be misused, creating a serious risk for organizations and individuals in turn.
Recent Instances and Affiliations
By the end of May 2025, COLDRIVER had been associated with the deployment of YESROBOT in two different cases. Newly minted LOSTKEYS This deployment happened to be right before we released LOSTKEYS details to the public. The timing suggests the group was probably responding to increased outside pressure. This was after their earlier strategies had been outed.
The responsible government body from the Netherlands has verified that no external pressures can be found to have motivated the suspect behind COLDRIVER. Their eyes are glued on this situation. They stated, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
In this incident, the hacking group had direct communications with a 17 year old main suspect. The teen’s augmented reality onboarding process gave step-by-step directions for plotting Wi-Fi networks on a map of The Hague. Openbaar Ministerie (OM) noted, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
