An in-depth recent analysis by security researchers at Mandiant shows that the Russia-linked hacking group COLDRIVER has developed multiple new malware families. This represents a notable advancement in their cyber operations. This cohort is focused on senior influencers, including high-profile individuals, private sector NGOs, advisory bodies to governments, and dissidents. Since May of this year, their operational tempo has nearly doubled. These new malware iterations represent a shift from the group’s previous tactics, hitting major security industries’ radar and setting off alarm bells.
New malware discovered in this investigation shows that COLDRIVER has gone through many developmental cycles since first appearing. These updates are an integrated part of a long-running strategy to improve their cyber attack capabilities. The crew was known to use the malware families NOROBOT and MAYBEROBOT in their previous campaigns. Now, they’ve upped the ante by releasing a new information-stealing malware LOStkeys, marking yet another step in their continuously evolving tactics.
Details of the New Malware
The malware family LOSTKEYS was first observed in attacks logged in January, March, and April 2025. After these attacks COLDRIVER has moved on to distributing the “ROBOT” family of malware, which includes this newly discovered YESROBOT.
To date, YESROBOT has been deployed in just two documented cases. Interestingly, both deployments were preceded by a two-week deployment window in late May. This rapid deployment suggests a strategic shift for COLDRIVER as they adapt their cyber arsenal to exploit vulnerabilities more effectively.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
This evolution is a big step forward in sophistication. In doing so, it increases risk exposure for attacked businesses and public entities, and the workers they targeted themselves.
Investigations into Potential Collaborators
Dutch government body Openbaar Ministerie (OM) has launched a criminal investigation into three 17-year-olds. They are just suspects in the still-open case involving services rendered to a foreign government. One of the other suspects reportedly communicated with COLDRIVER. This group has been tied to attacks by hackers working on behalf of the Russian state.
The OM has disclosed another terrifying piece of information. In one instance, a suspect directed the others multiple times to survey Wi-Fi networks in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
This breach points to a larger and growing fear about homegrown local actors working with foreign state-sponsored hacking organizations. Our investigation is ongoing as federal and state authorities work to untangle the scope of these ties.
Implications for Cybersecurity
The implications of COLDRIVER’s new malware and the ongoing investigation into local collaborators should be sending cybersecurity experts running. Malicious actors—theft aside—have allegedly sold the information they gathered to their clients. That would open the door to digital spying and cyber warfare against private companies, government institutions, infrastructure, and more.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – Openbaar Ministerie (OM).
Yet, as the threat landscape is constantly evolving, so too must organizations stay aware and ahead in their cybersecurity efforts. And then you have advanced malware from state actors like COLDRIVER. These numbers reflect the continued need to be relentlessly vigilant in testing, validating, and improving our security practices.