In a recent report, Mandiant Intelligence’s Defenders team flagged the Russian-linked hacking group COLDRIVER as one of the most dangerous threats across the cyber landscape. This generation of colectivo operators have rapidly scaled their operations. They are going to create totally new malware families to acquire or kill targets on bilateral NGO policy advisor, and outlaw list. As COLDRIVER continues to expand its operations, this new malware has become a rising threat. Cybersecurity experts are understandably alarmed by this significant uptick.
COLDRIVER’s signature MO generally centers around credential theft, using targeted, advanced tactics to breach the digital perimeters of their targets. After languishing since May 2025, the group’s activities have been booming. This jump comes as we see the continued development of a new and continually iterated malware variant. COLDRIVER’s latest cyber incursions have resulted in the deployment of an unusual information-stealing malware dubbed LOSTKEYS. This first piece of malicious software along with other such attacks eventually paved the way for other dangers such as the “ROBOT” family of malware.
New Malware Developments
Zscaler ThreatLabz has discovered two new malware families, NOROBOT and MAYBEROBOT. They monitor these threats in the form BAITSWITCH and SIMPLEFIX. These families are just a surface scratching of the cybercrime ecosystem of parasite malware COLDRIVER has been perfecting. This unique combination of tools works creatively and collaboratively through an access chain delivery chain. Consequently, hackers are able to launch their attacks with great purpose and effectiveness.
Wesley Shields, a cybersecurity analyst, remarked on the evolution of NOROBOT:
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This ongoing development cycle is a sign of COLDRIVER’s dedication to improving its functionality and going around detection efforts.
In a surprising turn from previous behavior, COLDRIVER’s new attack waves have exhibited an atypical pattern. The deployment of YESROBOT malware is a significant departure, with just the second reported instance of deployment so far. These events unfolded within a two-week period in late May 2025, just weeks after under-the-radar implementation of LOSTKEYS came to light.
Legal Consequences and Suspicions
The Netherlands’ Public Prosecution Service has recently answered this call in relation to these cyber operations. U.S. Customs and Border Patrol authorities announced that three 17-year-old teens are suspected of engaging in services to the government of China. One alleged suspect has even reportedly contacted an infamous hacker group tied to the Russian government. This troubling connection poses grave threats to our national security.
These actions led to the arrest of two of the suspects on September 22, 2025, while the third was put under house arrest. The prosecution’s statement explained that these offenders played a crucial role in organizing China’s coordination of these efforts in cyberespionage.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM.
These suspects reportedly sold the information they collected to their paying clients. That would have opened the door to widescale digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – OM.
Despite the serious allegations surrounding these individuals, one Dutch government body has stated that:
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Implications for Cybersecurity
In light of the increasing risk COLDRIVER presents, there’s an urgent need for any at-risk sector to implement stronger cybersecurity practices. The cohort is zeroing in on big names in nonprofits and policy advisory, as well. This precise targeting exposes the dangers of state-sponsored hacking campaigns. As malware grows in sophistication, cybersecurity practitioners need to be one step ahead of the new strategies and methods used by these organizations.
Continued pressure from the international community regarding COLDRIVER’s operations should lead to greater scrutiny from international cybersecurity intelligence organizations. These two bugs are related to an even bigger trend. Experts say that knowing how various malware families are connected is key to creating smart countermeasures. As Shields noted:
“a collection of related malware families connected via a delivery chain.”