We released a report detailing COLDRIVER, a Russia-aligned hacking group’s activities and how they track targets. Since then, starting as long ago as May 2025, they’ve created truly advanced pieces of malware. The group’s actions have recently increased to a fever pitch. They’ve achieved a number of striking information-stealing malware deployments and other malicious cyber disruptions.
COLDRIVER malware has been through a lot of versions, constantly updating to improve its success in the cyber espionage space. During the P2P conference in early 2025, this group was able to swiftly deploy an information-stealing malware known as LOSTKEYS. We talked about how their active campaigns in January, March, and April. As public awareness of LOSTKEYS grew, it appears that COLDRIVER shifted its focus to the “ROBOT” family of malware, which includes variants such as YESROBOT and other related families.
Evolution of Malware Campaigns
COLDRIVER’s activities have not gone unnoticed. The NOROBOT and MAYBEROBOT malware families have been seen by Zscaler ThreatLabz that go under the names BAITSWITCH and SIMPLEFIX. It’s among these families where we are seeing the clearest trend of rising operational tempo in cyber threats. This ongoing development helps COLDRIVER to accurately inform and redirect its practices.
Wesley Shields, property security expert, reminded us that these threats are always changing.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
This ability to change suggests that COLDRIVER’s campaigns are highly dynamic and advanced, as such campaigns may be challenging to defend against.
The launch of YESROBOT opens a new front in COLDRIVER’s perpetual expansion into more and more cybercrime. In late May 2025, we saw that there were just two rare examples of YESROBOT. This development is indicative of their capacity as a group to continuously fine-tune these tools to get around ever-improving cybersecurity defenses and increasing pressures.
Investigations into COLDRIVER Affiliates
The Netherlands’ Public Prosecution Service has opened investigations into those allegedly supporting COLDRIVER. Authorities arrested two of the perpetrators on September 22, 2025, and a third suspect is currently staying under house arrest. The suspects are all 17 years of age and are thought to have actually supplied services to a foreign government.
One suspect even allegedly reached out to a hacker group with ties to the Russian government. This relationship could imply hands-on engagement with the function of COLDRIVER. Openbaar Ministerie (OM) Ordinarily, the OM would be positive about this kind of development.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – Openbaar Ministerie (OM).
Dutch authorities have ruled out that any pressure was brought to bear on the suspect associated with the hacker collective. They are encouragingly keeping their ear to the ground for more positive developments.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body.
Our cyber adversaries continue to challenge our national security and interests, as this investigation makes abundantly clear.
Implications for Cybersecurity
We began to see a sharp increase in activity from COLDRIVER that continues to alarm cybersecurity experts and industries around the world. As these hackers use more advanced malware, so too is the need for better cyber defenses against these ever-evolving threats. The change of emphasis from LOSTKEYS to the ROBOT family marks a move to a more sophisticated and elusive set of strategies.
It’s more important than ever for organizations to be alert and take initiative in strengthening their security measures to protect against these new threats. This collaborative effort between international law enforcement will be key to dismantling networks built by transnational crime syndicates such as COLDRIVER.