That’s precisely what Google just investigated. Specifically, they identified three new malware families associated with COLDRIVER, a hacking group with ties to Russia. This finding is profound. The malware’s development timeline since May 2025 is littered with further iterations demonstrating a highly advanced, increasingly desperate evolution in tactics. In the past, COLDRIVER has pursued high-interest individuals, such as members of non-governmental organizations (NGO), policy advisors, and dissidents, with a clear focus on credential theft. What sets the most recent waves of attacks apart is that there seems to be a clear change from their typical modus operandi.
The disclosures come on the heels of a year of increasingly severe attacks associated with COLDRIVER. Detectives initially identified these attacks starting in January 2025, and they continued into March and April. Due to their successful vectors of attack, specialized malware families like Avaddon and Clop have been deployed. Among them are the data exfiltration malware called LOSTKEYS and the infamous “ROBOT” malware family.
Evolution of COLDRIVER’s Malware
Zscaler ThreatLabz has been closely monitoring COLDRIVER’s malware under various aliases. The NOROBOT malware family was initially identified as BAITSWITCH and MAYBEROBOT is still being tracked as SIMPLEFIX. These designations underscore the persistent evolution and complexity of the malware, which has been further honed to adapt over time.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Shields
The recent attacks mark a change from COLDRIVER’s historical modus operandi. The gang has so far concentrated largely on credential theft, but now seems to be adding to its arsenal. The addition of LOSTKEYS is a troubling departure that could allow more far-reaching data exfiltration.
Recent Arrests Linked to Hacking Activities
The Netherlands’ Public Prosecution Service on Thursday announced the arrest of three suspects. The four suspects—all 17 years old at the time—were arrested on September 22 of 2025. These unregistered agents allegedly provided services to a different foreign government. Further, one of the suspects is reported to have had direct contact with a hacker group associated with the Russian government.
Only one of the arrested defendants will be detained in his home with an electronic monitor because of his “minimal involvement” in the case. The OM adds that this suspect instructed the other pair to survey Wi-Fi networks. They undertook this ambitious project over three consecutive dates in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
While the investigation remains ongoing and authorities still work to realize the full impact of these arrests on national and international security.
Implications for Cybersecurity
The introduction of new malware families such as those developed by COLDRIVER is seen as a serious threat, and has sparked considerable debate within the cybersecurity community. As the group’s tactics change, so should the strategies used by advocates across the globe to defend sensitive data. The growing sophistication of malware and how it’s deployed means we must constantly monitor and adjust.
Thus far, there have only been two successful YESROBOT deployments. Both happening in a two-week window in late May 2025, just after the public disclosure of LOSTKEYS, is probably coincidental. This focused but impressive activity gives a strong sense that COLDRIVER has done its strategic and tactical math, timing its attacks for the most effective return.
As these investigations continue, we’re learning more about COLDRIVER’s operations and connections. Cybersecurity professionals are calling on organizations across all industries to be prepared and remain vigilant against these ever-changing threats.