A recent in-depth investigation found a shocking reality. The Russia-linked hacking group that calls itself COLDRIVER has been credited with developing three distinct families of malware. This finding comes just as […] Continue reading This discovery comes amid a shocking uptick in this group’s activity, marked by a drastic shift in their targeting tactics. COLDRIVER’s recent campaign is a courageous step in a new direction. Rather than just targeting the usual high-ranking officials in the NGOs, policy advisor circles, and dissidents, they are expanding their targets.
This latest piece of malware may have been under development since as early as May 25. Its launch has unfortunately overlapped with a marked uptick in activity from the problematic hacking group. On top of that, researchers found that COLDRIVER first started executing these attacks in January, March, and April of 2025. These attacks were subsequent deployments of an information-stealing malware dubbed LOSTKEYS. Building on the heels of these intrusions, the group has recently released a new malware family called “ROBOT.”
Evolution of COLDRIVER’s Tactics
In the past, COLDRIVER has conducted credential theft campaigns specifically targeting high-profile and troubled targets. Their recent targeted strikes against civilians show their intentions on abandoning this usual pattern of behavior. Each time, experts note, cybersecurity researchers have managed to track the malware families NOROBOT and MAYBEROBOT. Zscaler ThreatLabz specially named these threats BAITSWITCH and SIMPLEFIX.
Wesley Shields, a cybersecurity analyst, commented on the evolution of NOROBOT, stating:
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
The introduction of ROBOT marks a tactical turning point for COLDRIVER as they widen their eyes and scope beyond transportation.
Recent Developments and Law Enforcement Actions
In a parallel development, the Netherlands’ Public Prosecution Service (OM) has taken steps to address COLDRIVER’s activities. On September 22, 2025, authorities arrested two 17-year-old men on charges of upgrading foreign government services. One of the suspects is said to have been directly responsible for making contact with a group of hackers associated with the Russian government. The third person had been previously placed under house arrest.
Those initial mapping exercises yielded a wealth of information, all of which we’ve since packaged and shared with paying clients. This has led to a creeping fear of the longterm risk of digital espionage and cyber attacks.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
Furthermore, COLDRIVER’s operational tempo is growing exponentially. At the same time, new dangerous malware families such as YESROBOT are currently being developed, that pose far-reaching implications for cybersecurity domain. To date, there are only two recorded examples of YESROBOT deployment. Their timing shows a smart, deliberate reaction that probably came just after the public preview of LOSTKEYS.
Implications of Increased Cyber Activity
Shields further described this phenomenon:
As investigations continue and further details emerge regarding the suspects’ involvement, the cybersecurity community remains vigilant regarding COLDRIVER’s evolving tactics.
“It is a collection of related malware families connected via a delivery chain.”
As investigations continue and further details emerge regarding the suspects’ involvement, the cybersecurity community remains vigilant regarding COLDRIVER’s evolving tactics.