An extraordinary new opportunity— even within our complex cybersecurity landscape —has appeared. Russia-linked hacking group COLDRIVER is now an advanced threat agent with several custom malware families at its disposal. Since May 2025, COLDRIVER has been committed to continuously improving its malware. This has been a back and forth process resulting in five iterations so far, illustrating their growing operational tempo. This increase in action can be seen by the malware’s use in several high-profile cyberattacks in early 2025.
Zscaler ThreatLabz tracks the malware families NOROBOT and MAYBEROBOT as BAITSWITCH and SIMPLEFIX respectively. These malware families were used in real attacks during the first three months from January through March 2025. Together, these incidents led to the birth of an infostealer malware known as LOSTKEYS. This shocking development is a great testament to COLDRIVER’s extraordinary ability to innovate and change its cyber playbook. The continued intrusion has allowed the creation of an entirely new malware family to continue, known as the “ROBOT” family.
Malware Development and Deployment
Each iteration of COLDRIVER’s malware marks an important change in the strategic direction of their operations. As pointed out by cybersecurity savants, malware families have come under constant re-engineering to make them more effective.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” said Wesley Shields, a cybersecurity researcher.
This nimbleness is a testament to COLDRIVER’s commitment to hone their approach and get the most bang for their cyber buck. YESROBOT has experienced phenomenal growth. By the end of May 2025, we had already documented two deployments within a two week span. This swift rollout after the public showing of LOSTKEYS really drives home the urgency and danger behind the threat COLDRIVER’s malware would pose to COLDRIVER’s targets.
Law Enforcement Response
Unsurprisingly, the story behind COLDRIVER has interested law enforcement agencies. The Netherlands’ Public Prosecution Service has publicly named three men, all 17 years old, as under suspicion. They purportedly performed work on behalf of a foreign government associated with COLDRIVER. Further, one of those suspects is said to have been in direct communication with the pro-Russian hacker collective.
Two of these people were arrested on September 22, 2025. In his defense, the third suspect was placed under house arrest for his “limited role” in the case. That’s what the current investigation seeks to determine how deeply embedded were they in helping these attackers commit acts of cyber war.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” stated the Openbaar Ministerie (OM), shedding light on the nature of their activities.
Authorities said that the suspects allegedly sold all the stolen information to another client for profit. This may very well have opened the door for more future digital espionage and cyber warfare.
Ongoing Cybersecurity Monitoring
COLDRIVER’s malware campaigns are still be looked at and studied by cybersecurity researchers, hoping to understand their methodologies and reduce their effectiveness in the future. The continued growth and sophistication of their malware only serves to highlight the need for greater awareness from both the business and government sectors.
This adaptation demonstrated as part of COLDRIVER’s operations is a testament to the ever-changing landscape of cyber threats. With each iteration of their malware, they become more sophisticated, requiring stronger countermeasures from cyber security heroes.
“A collection of related malware families connected via a delivery chain,” remarked Wesley Shields, emphasizing the interconnectedness of COLDRIVER’s operations and its implications for global cybersecurity.