This changed radically in recent days when an innovative analysis by cybersecurity researchers surfaced some groundbreaking news about the Russia-linked hacking group COLDRIVER. This group is infamous for their campaign of harassment against prominent individuals such as employees of NGOs, policy advisors, and dissidents. Since May 2025, they’ve released previously unknown malware families and increased their attack operations to an unprecedented degree. Our most recent conclusions further show that COLDRIVER is still a potent threat actor in the ongoing cybersecurity battleground.
It has been implicated in several emerging malware variants – notably, type A and type B cryptominers. Security professionals have seen these variants in multiple real-world attack environments. Interestingly, two of these malware family NOROBOTS and MAYBEROBOT are tracked under the names BAITSWITCH and SIMPLEFIX by Zscaler ThreatLabz. The group’s evolving tactics signal a departure from its traditional methods, marking a concerning escalation in their activities.
Evolution of COLDRIVER’s Tactics
Since its debut, main infrastructural and strategic changes have been made to COLDRIVER’s operational functionalities. The group’s standard-operating-procedure largely centered around credential theft from high-value targets. The most recent waves of attacks really show a much more advanced attack. These involve the deployment of a new piece of information-stealing malware dubbed LOSTKEYS, as well as a new family of malware that’s being dubbed “ROBOT.”
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
The introduction of these new malware families is a clear sign that COLDRIVER is expanding the scope of its operations. Yet researchers have seen a troubling trend of quick development and deployment. This evolution in tactics speaks to the group’s nimbleness and dedication to improving their impact in cyber operations.
New Malware Families and Incident Reports
Recent police reports show that COLDRIVER has used the YESROBOT malware family in its operations. This specific variant has been found only twice in a two-week period during late May. These sightings just happened to happen as the public first became aware of LOSTKEYS. This timing brings to mind interesting possibilities of links between the various malware deployments.
Netherlands’ Public Prosecution Service provided a reminder of the clear and compelling need for action. They are looking into three 17-year-old males for allegedly offering assistance to a foreign federal government. One of the suspects allegedly associated with a hacker collective known to be associated with the Russian state. This would have the benefit of further connecting them to COLDRIVER.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body.
These marginalized youth are central to COLDRIVER’s work. Yet their participation raises alarming questions about the recruitment and engagement of local actors in more advanced or state-backed, malicious cyber operations.
Ongoing Monitoring and Research
Cybersecurity professionals will be watching COLDRIVER’s ongoing operations very carefully. The group’s operations have been linked to other existing malware families, indicating a wider network of threats within the cybersecurity ecosystem. Threat researchers with Zscaler ThreatLabz have closely examined COLDRIVER’s tactics and tradecraft, giving us a great look into their operational patterns.
As COLDRIVER remains active with ongoing operations and new malware developments, it is crucial for organizations and individuals to stay informed about potential threats. Cybersecurity measures have to change along with these new threats to protect sensitive information and critical infrastructure.