A Google Threat Analysis Group report published Friday found that the Russian-linked hacking group COLDRIVER has upped its game by developing a COLDRIVER malware family. This severe malware is commonly referred to as “ROBOT.” This change comes after multiple versions since May 2025, representing an increase in the group’s cyber capabilities. As with their criminal counterparts, the malware landscape is likely to have changed fundamentally. In a series of attacks earlier this year, COLDRIVER trendily deployed an information-stealing malware named LOSTKEYS that’s harmful and widespread.
The developers’ step-by-step evolution of COLDRIVER’s malware capabilities serves as a reminder of the increasing sophistication of cyber threats. Examples of the “ROBOT” family have already been found, such as NOROBOT and MAYBEROBOT. Zscaler ThreatLabz monitors these variants under the names BAITSWITCH and SIMPLEFIX respectively. Recent announcements from undersecretary Colin Kahl paint a more troubling picture with respect to COLDRIVER’s operations tempo. Now, it looks like they are intensifying their nefarious campaigns.
Development of the ROBOT Family
We’re calling COLDRIVER’s new malware family NUCLEUS, and it has gone through several versions since its introduction in May 2025. What is new The introduction of NOROBOT and MAYBEROBOT is a major step in the group’s strategy to digital attacks. These new capabilities bestowed by such powerful tools make them more formidable.
Wesley Shields, a researcher from Google Threat Intelligence Group (GTIG), stated, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
Shields further described the ROBOT family as “a collection of related malware families connected via a delivery chain.” This intersecting link between the ground and digital spaces enables more precise, lethal attacks while providing expanded flexibility to target civilian systems.
The first time we got a look at a new variant—what we’re calling YESROBOT—was in late May. This is on top of the NOROBOT and MAYBEROBOT variants. Since the public announcement of LOSTKEYS, activity has ramped up tremendously. This indicates COLDRIVER is intentionally being adaptive to keep the project’s operational momentum going.
Previous Incursions and Ongoing Investigations
The hacking group’s previous operations featured the use of LOSTKEYS, which was in use in January, March, and April 2025. Given its nature as information-stealing malware, its use represented high risk for many classes of organizations until its operations were disrupted by heightened scrutiny.
After the number of sex crimes committed by COLDRIVER increased, three 17-year-old males were arrested on September 22, 2025. Law enforcement authorities believe these individuals conspired to provide services on behalf of a foreign government. They are further linked to outreach to a group of hackers associated with the Russian state.
According to the Netherlands’ Public Prosecution Service (OM), investigators discovered that one of the suspects had provided this information to a client for a fee. Or, it could be data mined for purposes of digital espionage and cyber attack. They noted that “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
Implications for Cybersecurity
The consequences of COLDRIVER’s shifting malware capabilities are dire with respect to national security and private industry alike. With the rapidly evolving and ever-increasing cyber threats, organizations need to ensure cybersecurity is at the top of their priority list.
The Dutch government confirmed that there are “no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This assertion mirrors the reality of multi-jurisdictional investigations, often with alleged local suspects linked to international networks of cybercriminals.
As threats such as COLDRIVER continue to grow, experts advise organizations to remain on guard and adjust their protections to stay ahead of these threats. Make sure to go on the lookout for developing strains of malware. Stay ahead of advanced hacking collectives by using strong cybersecurity defense strategies.