The recent report details how the Russian-linked hacking group COLDRIVER is responsible for most known advanced malware families. This finding underscores the group’s heightened, alarming threat to the cybersecurity industry. Beginning in May 2025, COLDRIVER has been exhibiting a significant uptick in its pattern of activity, moving away from its established methods. In the past, the cohort has focused on high-profile and influential people in order to compromise their credentials. This extends even to persons working with NGOs, policy advisors, and political dissidents.
The report describes the recent development of malware that has been traced back to COLDRIVER, including an information-stealing variant—LOSTKEYS. This major change represents a big move away from the group’s previous approach, which leaned heavily on tried and true tactics. Yet the growing sophistication of their attacks should alarm even non-cyberspace denizens and we should all be enraged by them.
Evolving Tactics of COLDRIVER
From its original project idea, COLDRIVER has dramatically changed—mostly in how we operate. The group’s classic emphasis on credential theft has grown to involve new, more complicated malware deployments. The most recent versions of their malware indicate an increased operational tempo which plays to their developing tactics.
With this shift, we’ve seen the deployment of the “ROBOT” family of malware. This varies, including variations like NOROBOT and MAYBEROBOT. These variants have been tracked by Zscaler ThreatLabz under different names: BAITSWITCH for NOROBOT and SIMPLEFIX for MAYBEROBOT. The purpose behind their ongoing development across various malware families shows an intentional effort to make them more effective against targets.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
The last string of attacks blamed on COLDRIVER in January 2025, March 2025, and April 2025 have caused the DoD to roll out LOSTKEYS. In the wake of these attacks, the organization continued to master their craft. This continued polish resulted in the development of the ROBOT malware family.
Investigation and Suspects
In a concerning development, the Netherlands’ Public Prosecution Service announced that three 17-year-old men are suspected of providing services to a foreign government. One of these people is thought to have had direct contact with COLDRIVER. The ramifications of this relationship underscore the ways in which local actors may unwittingly further foreign cyber operations.
The signs Authorities have not publicly found evidence indicating that any outside pressure was put on the COLDRIVER-linked suspect. This leads to questions on the level of involvement and purpose motivating these youths.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
The actor often personally directed the other two to survey Wi-Fi networks across The Hague. Media reports have verified that this occurred on three separate occasions. This action may have just been a preparatory move for future, larger cyber operations.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
Implications for Cybersecurity
As COLDRIVER’s new malware families continue to evolve, threats to global digital security only grow. The data obtained from these costly cyber breaches can further enable digital espionage and cyber attacks on both private and public sector organizations.
To their shame, the Public Prosecution Service has admitted one of the suspects indeed sold the sourced information for payment to a clientele. This serves to underscore the financial incentives fueling these enterprises. This emphasizes the need for proactive, cutting-edge cybersecurity efforts focused on reducing threats from highly capable malicious hacking collectives such as COLDRIVER.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM