A recent investigation has unveiled that the Russia-linked hacking group known as COLDRIVER has developed three new malware families, marking a significant shift in their operational tactics. Cybersecurity companies and government officials are watching these changes with great interest. COLDRIVER mainly focuses on high-profile targets for credential theft, such as those working in non-governmental organizations (NGOs), policy advisors, and political dissidents.
Since it was first detected in May 2025, COLDRIVER has been linked to several variations of the malware that have become more advanced and sophisticated. Zscaler ThreatLabz, a cybersecurity research team, has been monitoring this malware under different names such as NOROBOT and MAYBEROBOT. The new variant, named LOSTKEYS, focuses specifically on stealing email and file attachments containing sensitive information from high-profile individuals, a sign that the group has upped its game.
Shift in Modus Operandi
She continued that COLDRIVER recently made a big tactical shift. We’re blessed though, because these latest attack waves now include LOSTKEYS, an information-stealing malware. This further pivot towards direct data extraction harkens back to the group’s aim to compromise and leverage high-value targets with increased efficiency.
The introduction of LOSTKEYS increases new attack vectors for the “ROBOT” family of malware. This is a perfect example of COLDRIVER’s adaptability and innovation in today’s ever-evolving cyber threat landscape. Zscaler ThreatLabz has observed that several malware families attributed to COLDRIVER, including NOROBOT and MAYBEROBOT, are now tracked under different designations: BAITSWITCH and SIMPLEFIX, respectively. Whatever their motives, this rebranding has benefited their campaigns by hiding their misconduct.
Additionally, only two occurrences of another malware variant called YESROBOT have been recorded to date. All of this transpired within a two-week window in late May 2025, just weeks after information about LOSTKEYS went public. While YESROBOT’s deployment is limited, this indicates a cautious approach that allows authorities to assess its potential disruption before a broader implementation.
Legal Developments and Government Involvement
In light of these harmful activities, the Dutch government is actively pursuing action against COLDRIVER. Just last week, federal authorities arrested three 17-year-old males suspected of providing such quasi-mercenary services to a foreign government. This last one is a biggie, as one of these persons is reportedly connected to a hacker collective with ties to the Russian state. On September 22, 2025, law enforcement arrested two suspects. Due to the low degree of involvement in the mafia operations, the third suspect was put under house arrest.
Here, the Public Prosecution Service of the Netherlands, Openbaar Ministerie (OM), is at the forefront of actively seeking criminal indictments against these suspects. This legal action demonstrates not only the seriousness of these threats, but how governments are moving to punish bad actors like COLDRIVER for their crimes. This joint announcement from cybersecurity experts and law enforcement underscores the dynamic, anti-cybercrime collaboration taking place to address worsening, increasingly brazen cybercriminal acts.
Increased Operational Tempo
COLDRIVER’s operational tempo has suddenly doubled! You can observe this shift in the numerous developmental stages of their ransomware starting May 2025. As the legal action gets underway, the coalition is continuing to ramp up its strategic arsenal. At the same time it is advancing its methods to avoid detection and increase its impact.
Furthermore, experts maintain that the ongoing developing of malware linked to COLDRIVER presents a serious debility for those entrusted with cyber-defenses. Yet as this group evolves its tactics and focuses on high-profile targets, organizations need to be on high-alert to avoid falling victim to such attacks.
