The new family of malware COLDRIVER is now internationally infamous, thanks to a Russian-linked hacking group’s use of it. This malware has changed a lot since May 2025. With each year, the nonprofit has expanded its reach. This includes deploying different types of malware in multiple waves of attacks over the course of the first year. Security researchers at Zscaler ThreatLabz have already given this rapidly evolving malware the catchy name of “ROBOT” family.
As of early 2025, COLDRIVER’s tempo is increasing. It’s most significant malware was deployed in January, March and April of this year. These recent cases have sent shockwaves through the cybersecurity community, who continue to watch this group of hackers with great concern. The malware’s multiple iterations show a high level of investment and coordination in cyber intrusions, experts say.
The Evolving ROBOT Family
The ROBOT family of malware includes two specific variants tracked by Zscaler ThreatLabz: NOROBOT and MAYBEROBOT, which are known as BAITSWITCH and SIMPLEFIX, respectively. The continued evolution of NOROBOT has garnered special interest.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
This developmental strategy indicates that COLDRIVER is changing its methods due to heightened attention from cybersecurity researchers. The implications for digital security are sizeable, given the increased attack sophistication and threat made evident in these most recent operations.
Alongside NOROBOT and MAYBEROBOT, COLDRIVER has deployed LOSTKEYS, an information-stealing malware. This piece of malware would prove instrumental in many more successful attacks attributed to the group. That indicates they have a deeper game plan aimed at harvesting highly sensitive data from their marks.
Links to Foreign Government Activities
Recent investigations have uncovered connections between three young men, aged 17, who are suspected of providing services to a foreign government. One of these suspects reportedly acted while in direct and personal contact with a hacker group connected to the Russian government. This unexpected transparency further emphasizes the potential for cooperation between domestic actors and foreign cybercriminals.
The Dutch government has prosecuted these figures. They were unable to find any recent indications of pressure on the suspect tied to the hacker group. The short-sighted effects of their actions could prove to have dire consequences for our national security.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
The act of mapping Wi-Fi networks raises concerns about possible digital espionage efforts. Someone could have monetized the collection data and sold it to the highest bidder. Unfortunately, this data would then be available for use in future cyber attacks against those vulnerable targets.
Implications for Cybersecurity
COLDRIVER is currently working on development and deployment of its ROBOT Family of Malware. Cybersecurity experts recommend that organizations of all sizes enhance their cybersecurity posture today to defend against these advanced threats. With the increasing risk of digital espionage and cyber attacks, there is a renewed sense of urgency for vigilance in both the public and private sectors.
The situations that led to LOSTKEYS and YESROBOT point to a pattern that is deeply concerning. Hacking groups such as COLDRIVER are continuously evolving to be smarter and more resourceful. As such, there have only been two documented YESROBOT deployments to date. These were spread out over a marathon two-week blitz in late May. Curiously, this deployment occurred soon after information about LOSTKEYS was released to the public.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – Openbaar Ministerie (OM).
Authorities are vigorously pursuing these encouraging breakthroughs. Therefore, it’s evermore important for organizations to be hardened in their cyber defenses so that they’re prepared to protect themselves from threats like COLDRIVER.