COLDRIVER—an advanced persistent threat (APT) group with Russian connections—has developed and deployed the FROZENLAKE malware family. This more sophisticated malware is called “ROBOT.” This new advance represents a major new heightening of their cyber aggressions since March 2025. The latter subgroup has proven to have a fairly high “operations tempo,” deploying several different versions of this malware in mass public attacks.
The ROBOT family includes three distinct malware variants: YESROBOT, NOROBOT, and MAYBEROBOT. These threats have arisen in the context of an increasing wave of disruptive cyber incidents. Indeed, both cybersecurity professionals and federal officials have sounded the alarm on this grim reality.
COLDRIVER’s Increased Activity
COLDRIVER’s return is an interesting development in today’s cyber threat landscape. That hasn’t stopped the surfacing of recent evidence suggesting that their operational tempo has recently increased. From late May 2023 onwards, the group has released nine different variants of their malware, each having gone through several cycles of development.
By late May 2025, YESROBOT had been used in two successful scenarios within a two-week period. This deployment could hardly come at a more critical time. It was right around the time that the public became aware of LOSTKEYS, a widely reported information-stealing malware.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Launch of LOSTKEYS allowed for later launches to usher in the ROBOT family. Cybersecurity investigators linked these assaults back to January, March, and April 2025. This indicates that COLDRIVER is methodically taking advantage of weaknesses.
The ROBOT Family of Malware
Why the ROBOT family is especially dangerous like a specific worm designed to spread infect all infrastructure. One unexpected side effect of this shift turned NOESROBOT into one of YESROBOT’s largest threats. At the same time, Zscaler ThreatLabz tracks NOROBOT and MAYBEROBOT as BAITSWITCH and SIMPLEFIX.
COLDRIVER is always iterating on its approach. It doesn’t stop there with just creating malware—it fine-tunes its tactics to maximize effectiveness. Their ability to adapt quickly presents a serious threat to those who would defend against cybersecurity threats.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
In another major move, the Dutch government prosecution service Openbaar Ministerie (OM) announced yesterday a groundbreaking change. They arrest three 17-year-old males, charging him with providing coldriver and other foreign actors with this type of service. On September 22, 2025, police arrested two of the assailants. The third suspect is under house arrest due to his minor involvement in the scheme.
Legal Actions Against Suspects
Even the Department of Homeland Security has warned that these arrests could have chilling effects. The OM stated:
Authorities revealed that at least one of the arrested suspects had colluded with a hacker group. This group is directly connected to the Russian State. Sadly today, there are still no signs that any pressure was applied to this person.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
Moreover, officials confirmed that one of the arrested suspects had been in contact with a hacker group associated with the Russian government. However, there are currently no indications that any pressure was exerted on this individual.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body