New, national investigation — conducted by the Economic Policy Institute and American Friends Service Committee — expose a shocking trend. The Russian hacking group COLDRIVER has been re-evolving its malware since as early as May 2025. It is largely this malware that has been seen used in a myriad of attacks since early 2025, suggesting a faster operational tempo. The organization’s been using pretty advanced strategies, the sophistication there. As a consequence, new malware families like LOSTKEYS and its successors, NOROBOT and MAYBEROBOT have come to the forefront.
What’s gotten cybersecurity experts and government agencies twitched ever since is COLDRIVER’s actual activities. The new malware families provide further evidence of the group’s remarkable technical prowess. More importantly, they expose a very clear strategic intent to exploit our vulnerabilities for operational and information theft and disruption.
Overview of COLDRIVER’s Malware Evolution
Since its first attack in May 2025, COLDRIVER has executed a number of cyberattacks. This trend de-marks their fast advancement in malware development. The coalition’s first taste of this new wave of attacks included the use of LOSTKEYS, an information-stealing malware. This initial victory opened the door to even more ambitious strikes in their malware arsenal.
Following the introduction of LOSTKEYS, COLDRIVER’s malware development deployment frequency increased significantly. January, March, and April 2025 saw some of the most remarkable examples of this surge. With each attack came an evolving sophistication, as the group aimed to perfect their instruments to increase deadliness.
Wesley Shields, a cybersecurity expert, remarked on the evolution of NOROBOT, stating, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
Newly Identified Malware Families
The malware created by COLDRIVER is broken down into several families, with NOROBOT and MAYBEROBOT receiving much of the spotlight. These two variants are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. Their emergence indicates a second tactical change in COLDRIVER’s strategy. Learning to adapt to countermeasures, COLDRIVER has improved their techniques.
The YESROBOT family, while only having been seen in two examples so far, is another layer in COLDRIVER’s constantly growing and changing world. Both of these YESROBOT deployments took place during a 6-day window in late May 2025. These attacks followed closely on the heels of the technical details of LOSTKEYS being released to the public. This timing suggests a deliberate plan to take advantage of fresh vulnerabilities.
Legal Actions and Connections to Foreign Governments
In a parallel move, three 17-year-old males have been named by authorities as suspects in allegedly offering services that led to attacks like those attributed to COLDRIVER. In fact, reports have surfaced suggesting that one suspect kept communication open with a hacking group tied directly to the Russian state.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Law enforcement has announced that this suspect was central to the operation. He instructed the other two of them to traverse wifi networks on several days in The Hague. That means some substantial alignment in their planning and organization, which is totally in line with the goals of COLDRIVER.
Law enforcement arrested two of the suspects on September 22, 2025. Authorities have managed to interview the third suspect, currently under house arrest. Even as they acknowledged their “limited role” in the case, they requested more information from him.