We’ve seen the Russian-linked COLDRIVER hacking group cited as the origin of five new malware families. Their main targets are high net worth individuals, in particular those with links to civil society and non-governmental organizations (NGOs), policy advisors and activists. Credential theft goes hand in hand with the group’s operations. Most notably, it has launched a second wave of attacks using an information-stealing malware named LOSTKEYS. This uptick in operations has cybersecurity advocates and government entities on high alert.
Since May 2025, the gang has demonstrated a truly remarkable capacity to adapt its malware. They’ve worked through several iterations that have surfaced through different attacks. Reiterating our blog on malware analysis by cybersecurity firm Zscaler ThreatLabz, we break down two different malware families. For instance, they track NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX. COLDRIVER has been instrumental in assaults that occurred in January, March, and April 2025. It’s apparent that their operations are increasing in intensity.
Recent Developments in Malware
LOSTKEYS represents a significant artist leap for COLDRIVER. Unfortunately, this new tool has been linked to more pernicious intrusions, which eventually led to the development of a new malware family known as YESROBOT. The deployment of YESROBOT occurred only twice in late May 2025, signaling an emerging trend in COLDRIVER’s tactics.
Wesley Shields, a cybersecurity expert, explained the continuous evolution of NOROBOT:
“NOROBOT and its preceding infection chain have been subject to constant evolution—initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
COLDRIVER is tactically enhancing its abilities to avoid detection. It’s doing a better job than ever of maximizing the impact of all the attacks.
Law Enforcement Response
In reaction to these changes the Netherlands’ Public Prosecution Service has made a daring move. They’re building a lot of momentum in their battle against COLDRIVER. On September 22, 2025, law enforcement was able to successfully apprehend those two suspects mentioned above. Both are 17 years old and are suspected of having provided services to a foreign government. One of these suspects is reported to have had direct and continuous communication with the hacker collective operating under the auspices of the Russian government. The prosecution service confirmed:
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
The third suspect remains in house arrest because of a “limited role” in their continued investigation. Law enforcement has shared that these defendants sold the data they obtained to their customer. Such a dangerous digital trade-off presents a clear and present danger of heightened digital spying and cyber sabotage.
Implications and Future Risks
The rapid tempo of COLDRIVER’s actions underscores the sophistication and complexity of state-sponsored cyber threats. The Dutch government body has been closely monitoring COLDRIVER’s activities and has assessed that:
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
These recent discoveries regarding LOSTKEYS have recently come to light. This has led to a surge of public advocacy for YESROBOT and a surge of anxiety among cybersecurity experts as the growing specter of future attacks.
The situation is still developing as federal authorities work to determine the suspects’ connections to COLDRIVER. Continue reading Taking the fight to this emerging threat will be key to protecting our most sensitive information and preserving our national security.