The Russia-linked hacking group COLDRIVER also recently created multiple new malware families. Their operational tempo has tripled over the last few years, demonstrating an impressive increase in their capabilities. Cybersecurity professionals have been tracking a wave of these attacks since at least May 2025. This represents a big change in COLDRIVER’s strategy and focus. In practice, COLDRIVER has mostly targeted credential theft from high-profile individuals, to include those working for NGOs, in policy advisory roles and political dissidents. Actions over the past year show a break from this pattern of operations.
Researchers have linked COLDRIVER to other types of malware. Most remarkably, they found an incurably information-stealing program named LOSTKEYS that was actually finalized and used in January, March, and April of 2025. On the heels of these intrusions, the group has released the “ROBOT” family of malware, including a variant dubbed YESROBOT. This latest evolution represents a big tactical shift. Cybersecurity analysts are already sounding alarms about the group’s long-term plans and potential.
Increased Operational Tempo
Now, since a marked increase in COLDRIVER’s operational tempo since beginning of May 2025. Cybersecurity analysts, including researchers at Recorded Future, have documented many of the group’s developmental phases related to its malware. Combined with the recent emergence of the “ROBOT” family, this points to a much wider and more aggressive ongoing strategy than previously seen.
Wesley Shields, a prominent cybersecurity expert, commented on the evolution of NOROBOT, stating that it has undergone “constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This latest evolution to their family of malware is a testament to the group’s dedication to improving their malware’s efficacy.
The sudden change in COLDRIVER’s direction is making experts question their motives and ability. Combined, the new malware families show a capacity to facilitate more sophisticated cyber espionage campaigns and digital warfare. This combination of factors renders them a key threat to both organizations they target and individuals.
Recent Arrests Linked to COLDRIVER
On Tuesday, the Netherlands’ Public Prosecution Service (Openbaar Ministerie) announced that they suspect three 17-year-old men of providing services to a foreign government. One of these teens was said to have had contact with a hacking syndicate connected to the Russian state. The two suspects were arrested by law enforcement on September 22, 2025. The third suspect has been placed under house arrest due to his minor participation in the case.
According to court documents, the suspect had reached out to a hacker group with Russian ties. They sent directions to two of the other suspects, telling them to constantly ping Wi-Fi networks across The Hague. This intelligence is an important step toward identifying how local actions can and should connect to broader cyber threats. Those threats may come from a group such as COLDRIVER.
According to the Openbaar Ministerie, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This speaks to the more commercial aspect of cybercrime. Advancing the cause of APTs local actors usually play a significant role in enabling the activities of APTs.
Evolving Malware Families
COLDRIVER’s latest actions showcase a matrix of associated Trojan and backdoor families linked together through a malware delivery chain. Prior to these recently announced operations, analysts have been monitoring NOROBOT and MAYBEROBOT under the code names of BAITSWITCH and SIMPLEFIX, respectively. The launch of YESROBOT suggests a more organized effort for deploying malware, where each release is based on the success of earlier launches.
With the entire cybersecurity landscape holding its breath during these tense times, experts have been picking these developments apart. Wesley Shields noted that COLDRIVER’s approach represents “a collection of related malware families connected via a delivery chain,” indicating that their operations could become even more complex and harder to combat.
Cybersecurity companies are closely tracking COLDRIVER’s operations and its growing repertoire of malware threats. This increased watchfulness is important because the stakes for global cybersecurity only continue to get higher. This combination of high-profile targets and sophisticated tactics is creating difficult challenges for defenders in both public and private sectors.