Cybersecurity researchers have discovered three new malware families tied to the Russia-linked hacking group COLDRIVER. Since May 2025, COLDRIVER has been in the active development and deployment of malware. This malware has hit on several cycles, with a clear uptick in operational tempo. These findings were released by Zscaler ThreatLabz, which has been following the group’s activities and the malware they have operated under different names.
Having been active since at least 2019, COLDRIVER is an increasingly insidious threat actor in the cybersecurity landscape, with its malware advancing to outpace changing defenses over the years. So naturally their latest cyber offensive would include swarms of information-stealing malware and other advanced threats. This new, concerning trend has cybersecurity experts and government agencies on high alert.
Recent Developments in Malware Deployment
In early 2025, COLDRIVER opened the year with a campaign in January, followed by disruptions in March and April. These underhanded activities led to the discovery of a new info-stealing malware named LOSTKEYS. This new-ish malware has been used in a number of other major cyber intrusions, underlying a broader change in the group’s strategies and capabilities. COLDRIVER’s malware has evolved significantly and the latest iterations have been under the cybersecurity teams at CyberCommand’s watchful eye.
The release of LOSTKEYS was the starting point for later developments in COLDRIVER’s malware toolkit that featured COLDRIVER’s “ROBOT” family of malware. Among these advancements are two notable variants: NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX.
Wesley Shields, cybersecurity expert at Zscaler ThreatLabz, reflected on the development of NOROBOT, saying,
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
Our latest results show that COLDRIVER’s malware has already been used in real-world cases, like YESROBOT. Until now, there have only been two examples of YESROBOT deployment. All of these happened within a two-week span in late May 2025. As luck would have it, this deployment was right in time with the public announcement of LOSTKEYS.
Suspects Apprehended in Connection with COLDRIVER
Coinciding with this, the Netherlands’ Public Prosecution Service (OM) announced that three 17-year-old males are suspects. As to the first charge, they had purportedly contracted with a foreign military government associated with COLDRIVER. One of the suspects allegedly reached out to the notorious hacker group cozy bears, associated with the Russian state. This public and private sector relationship is alarming and noteworthy given the national security implications.
Law enforcement officials arrested two suspects on September 22, 2025. The third suspect, a former banker, is emerging from this case’s legal purgatory after being placed under house arrest due to his “limited role.” Officials are probing how deep their hand was in cyber undercutting COLDRIVER.
This investigation revealed that the previous suspect had sold the aggregated data for a price. As we mentioned last week, this data is ripe for digital espionage and even cyber attacks. The meaning of these discoveries The threat these findings represent reveals that hacking groups such as COLDRIVER are extremely active, creating a constant threat.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
As our nation’s cybersecurity teams track COLDRIVER’s operations, experts urge the nation to remain on guard against adapting and emerging threats. The group’s quick adaptability in producing new malware families, even locally to their victims, creates severe impacts for businesses around the world.
Ongoing Monitoring and Future Implications
That knowledge extracted from recent campaigns will be key to anticipating and combatting COLDRIVER’s strategies. It’s clear that cybersecurity researchers and law enforcement agencies need to be in close sync. This partnership is essential to address the escalating threats from nefarious hacking collectives.
The information gleaned from recent investigations will assist in understanding and countering COLDRIVER’s tactics. The collaboration between cybersecurity researchers and law enforcement agencies is vital in addressing the increasing risks associated with such hacking groups.