Cybersecurity researchers recently studied the phenomenon and concluded that the Russian-linked hacking group COLDRIVER is responsible for creating families of new malware. Their operations have increased more than sharply. LOSTKEYS drew some headline-grabbing excitement due to its information-stealing malware. As of late May 2025, COLDRIVER has escalated the ambition and tempo of its malicious software development and deployment efforts. This dramatic increase indicates a much higher “operations tempo” in support of advancing their cyber agenda.
The malware LOSTKEYS was first noted in campaigns seen in January, March and April of 2025. Subsequent intrusions by COLDRIVER have led to the creation of the “ROBOT” family of malware, which comprises three variants: YESROBOT, NOROBOT, and MAYBEROBOT. Taken together, these advancements represent an alarming shift in the group’s capabilities and tactics.
Increased Operational Tempo
The accelerating pace of malware production by COLDRIVER 5 is a clear signal of a strategic pivot to more aggressive cyber operations. Researchers with security firm Team Cyderes found that the group has retooled its malware repeatedly since May of 2025. These patterns reflect a sense of desperation in their efforts.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” said Wesley Shields, a cybersecurity analyst.
This pattern of breakneck development has Cybersecurity professionals on high alert, as they continue to track the group’s conduct. Unlike many recent rental cyberattacks, this malware, dubbed LOSTKEYS, is explicitly geared toward corporate espionage. This combined capability makes it an extremely valuable tool for prospective digital espionage.
New Malware Variants
The ROBOT family of malware is a major development in COLDRIVER’s cyber arsenal. YESROBOT has only been deployed in two Embodiments across a two-week period in late May/early June 2025. This would indicate that attacks are focused, rather than indiscriminate and broad.
Zscaler ThreatLabz tracks NOROBOT and MAYBEROBOT as BLACKMAYFLY and SPANSIP respectively. Perhaps more worrisome, it speaks to the group’s remarkable ability to obfuscate their cyber capabilities. NOROBOT is called BAITSWITCH, and MAYBEROBOT is called SIMPLEFIX. This unique duality provides the menace the operational camouflage to carry out their cyber warfare efforts.
The ramifications of these new malware families go beyond just damaging a brand’s data. They act as the perfect tools for digital surveillance and widespread cyber warfare against both military and civilian targets.
Suspects Apprehended
On September 22, 2025, the Netherlands’ Public Prosecution Service announced the apprehension of three 17-year-old men suspected of providing services to COLDRIVER or similar foreign entities. One of the suspects allegedly had direct ties to hackers working for the Russian government.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” stated the Openbaar Ministerie (OM).
To accomplish this, one of the suspects continuously directed the others to chart Wi-Fi networks found throughout The Hague. This clearly demonstrates a dedicated and concerted effort to develop intelligence for future cyber operations.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” noted a representative from the Dutch government.
This dangerous incident brings to the forefront not only the societal threat of youth engagement in cybercrime, but continuous issues with international cybersecurity.