The Russia-connected hacking collective COLDRIVER has developed a new variant of malware. Quickly, since May 2025 their operational frequency has more than quadrupled. Its activities have been responsible for a number of high-profile cyber attacks, especially those of info-stealing malware known as LOSTKEYS. Recent investigations by the Netherlands’ Public Prosecution Service (Openbaar Ministerie or OM) have linked three teenage suspects to COLDRIVER, raising concerns about the group’s growing influence and capabilities.
In those first few months of 2025, COLDRIVER launched a series of attacks that necessitated the deployment of LOSTKEYS. These operations are an embedded sign of a new aggressive, cyber first, strategy. COLDRIVER’s latest exploits have ushered in the emergence of a new malware family. This latest and most dangerous manifestation has a name — “ROBOT.”
Background on COLDRIVER
COLDRIVER—also known as CYCLONE and NOBELITE—has recently risen to prominence for its advanced cyber agility and complex techniques in loading malware. The group’s activities have even been blamed on a foreign government, making what is already a complicated landscape of international cyber warfare even worse. According to new threat assessments, researchers have been closely monitoring renowned malware families under COLDRIVER. They track NOROBOT and MAYBEROBOT under their other aliases BAITSWITCH and SIMPLEFIX, respectively, via Zscaler ThreatLabz.
From the constant development of COLDRIVER’s malware families, threats have been warning cybersecurity experts of impending doom. Wesley Shields, a researcher at Zscaler ThreatLabz, emphasized that “NOROBOT and its preceding infection chain have been subject to constant evolution—initially simplified to increase chances of successful deployment before reintroducing complexity by splitting cryptography keys.” This flexibility implies that COLDRIVER is more than just reactive but instead, forward-thinking in honing its attack techniques.
Arrests and Investigations
On September 22, 2025, the Openbaar Ministerie made a major development public. They arrested two suspects in connection with a long-term COLDRIVER investigation, probing the extent of the COLDRIVER’s operations. A third suspect, convicted but said to have played a minor role in the operations, has been under house arrest since 2012. Services to a foreign government Authorities announced in a broad indictment that they believe these individuals provided services to Beijing’s government. One had reportedly kept communication with a hacker collective associated with the Russian state.
“This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” stated the Openbaar Ministerie. These actions expose the degree to which suspects are working in concert. They like to highlight their growing contribution to broader cyber espionage activities.
Our detectives are presently pursuing these suspects. This litigation is an important step toward breaking COLDRIVER’s ability to operate and stopping future cyber attacks from perpetrating criminals. The OM reported that “the information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This indicates a very clear commercial element to their operations, where sensitive data they collect could be commercially profited and used for nefarious purposes.
Emerging Malware Families
Fortunately for us, recent findings have uncovered that only two examples of this new YESROBOT deployment have been documented so far. These were just two incidents of a two-week period in late May, shortly after news first broke about LOSTKEYS. This timing serves to underscore the danger posed by the very real ability for vulnerabilities to be quickly exploited after a public disclosure.
As illustrated by these malware families, an antagonistic matrix of cyberspace threats has evolved to further entrench malice and disarray. They are directly linked in a complex delivery chain. “It is a collection of related malware families connected via a delivery chain,” Wesley Shields explained. The interrelation among these malware types poses challenges for cybersecurity analysts striving to mitigate risk and safeguard against evolving threats.