A recently released report from Microsoft and Trustwave shines a spotlight on the hacking collective COLDRIVER, a group known to be associated with Russia. Since May 2025, they’ve released at least six other malware families. This bad actor has ramped up its tactics. Consequently, they have released a barrage of exploits that have left the worldwide cybersecurity community shaken to its core.
COLDRIVER’s malware has evolved through various iterations, with recent developments indicating a marked increase in the group’s operational tempo. In January, March, and April of 2025, this first wave launched an all-out blitzkrieg. Shedding no tears for their victims, during these incidents, these hackers released an information-stealing malware known as LOSTKEYS. These occurrences have caused an in-depth look at the methodologies and capabilities of the organization to gain national attention.
Emergence of the ROBOT Malware Family
In light of the deployment of LOSTKEYS, COLDRIVER got busy recently and released new intrusions. These attacks gave rise to a new malware family dubbed “ROBOT.” This family includes two specific strains: NOROBOT and MAYBEROBOT. The cybersecurity firm Zscaler ThreatLabz has tracked NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX.
Together, the speed at which these malware strains were developed and deployed indicate a professional and advanced COLDRIVER operation. It shouldn’t be that surprising, considering recent reports on BlackCat’s use of their malware in several attacks. Many of these examples occurred as recently as late May 2025.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
This constant evolution raises concerns regarding the group’s ability to adapt and innovate in response to countermeasures from cybersecurity professionals.
Investigation and Arrests Linked to COLDRIVER
The Netherlands’ Public Prosecution Service (OM) is currently pursuing a case against three 17-year-old males. They’re associated with these cyber operations. The suspects are accused of providing services to a foreign government. One person charged, Dmitriy S. Smilianets, is alleged to have maintained contact with an underground hacker group that was supported by the Russian government.
On September 22, 2025, law enforcement captured two of the abductors. The third suspect is currently under house arrest and awaiting trial. It has been suggested that this third person has little role in the ongoing investigation.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body
The OM continues to look into this issue. They are resolved to track down further information about the suspects’ actions and potential links to COLDRIVER.
Deployment of YESROBOT
One of the other big exciting developments is the deployment of YESROBOT. Much like the aforementioned 2021 malware surge, this malware strain was only seen twice in a week-long stretch during late May. Though it hasn’t been confirmed, we suspect that the public disclosure of LOSTKEYS inspired this rapid deployment.
The OM has since disclosed that former suspects peddled the data they harvested. It is this data that poses the most serious threat when used for digital espionage and cyber attacks. This revelation highlights the harmful consequences of COLDRIVER’s activities and their threat to cybersecurity around the world.