The news that should be ringing alarm bells within organizations around the world is the COLDRIVER group’s creation of not just one but three distinct malware families. This new finding points to a deeply concerning change in the group’s operational tactics and an increase in their activity. Since May 2025, COLDRIVER has fielded several versions of its malware, suggesting a heightened “operations tempo.”
The new malware is connected to a wave of recent attacks. These attacks mainly focus on big name leaders in non-governmental organizations (NGOs). These targets frequently, though not always, include government policy advisors and dissidents, with credential theft frequently being the goal. This latest wave of attacks from COLDRIVER is a departure from the typical tactics of this adversary. This shift is concerning many cybersecurity experts.
The Evolution of Malware: LOSTKEYS to ROBOT
COLDRIVER’s most recent operations were the deployment of an information-stealing malware identified as LOSTKEYS. This malware was only seen in incidents during January, March, and April 2025. Beyond these first interlopers, the Transnational Criminal Organization was behind the development of the “ROBOT” family of malware. This family of variants includes major outliers like NOROBOT and MAYBEROBOT.
Zscaler ThreatLabz tracks NOROBOT and MAYBEROBOT as BAITSWITCH and SIMPLEFIX, respectively. What has been especially inspiring to see is the evolution of NOROBOT.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
This evolutionary process allows COLDRIVER to constantly rethink its strategy to maximize the efficiency of its attacks.
Recent Developments and Deployment Patterns
The recent deployment of yet another variant, YESROBOT, has turned the cybersecurity k-12 community absolutely mad. It’s not yet routine. Only two YESROBOT deployments have been officially recorded to date. Both occurred on consecutive days during a two-week span in late May 2025. Interestingly, information about LOSTKEYS was released to the public just weeks before the deployments above, indicating a savvy planning period on the part of COLDRIVER.
The quick succession of these malware families shows a specific effort to iterate on attack techniques and increase their scope. Additionally, as the group goes after specific high-profile targets, their operations are still subject to highly-focused scrutiny from cyber-security firms and governments around the world.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body
Among other things, investigations reveal that the suspect often and repeatedly directed others’ actions. Later that day and on several occasions thereafter, they led them through mapping Wi-Fi networks across The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
Taken together, these disclosures indicate that COLDRIVER’s surgical penetration operations likely tap into a much larger network of individuals that help facilitate their cyberattacks.
Implications for Cybersecurity
The introduction of these new malware families highlights the ever-evolving threat landscape that adversaries, such as COLDRIVER, present. Even as they change their approaches and attack vectors, organizations should be on constant lookout for ways they might be breached.
Wesley Shields describes this situation as “a collection of related malware families connected via a delivery chain.” COLDRIVER leverages the relationships among various types of malware to use one to assist in deploying another. This particular tactic further raises the barriers to detection and response.
Cybersecurity professionals are working around the clock to understand these changes. They are acutely aware that COLDRIVER represents an ongoing, deliberate threat to VIPs and major international organizations. Their relentless adaptation underscores the importance of improving our security posture and vigilance.
