Google’s Threat Intelligence Group (GTIG) has officially identified three new malware families created by the Russia-linked hacking collective known as COLDRIVER. Codenamed NOROBOT, YESROBOT, and MAYBEROBOT, these tools are part of a new malware suite that has undergone numerous developmental iterations since May 2025. The discovery, detailed in a Monday analysis, suggests a significant increase in the “operations tempo” from the state-sponsored threat actor, indicating a more aggressive phase of activity.

Rapid Evolution Post-LOSTKEYS Disclosure

The findings from GTIG are particularly notable due to the speed at which COLDRIVER has adapted its offensive tools. The hacking crew rapidly refined and retooled its malware arsenal just five days following the public disclosure of its LOSTKEYS malware in May 2025. This quick pivot demonstrates the group’s ability to respond to public security research and re-equip its operators with new capabilities in a very short timeframe. Since the LOSTKEYS disclosure, Google’s team reports that it has not observed a single instance of that specific malware family being used in the wild, suggesting it was quickly abandoned for these newer variants.

An Interconnected Malware Suite

In the analysis, GTIG researcher Wesley Shields described the three new families as “a collection of related malware families connected via a delivery chain.” This structure implies that the tools are not designed to operate in isolation but rather as components of a multi-stage attack. While the exact duration of the development for NOROBOT, YESROBOT, and MAYBEROBOT is currently not known, their interconnected nature points to a well-planned cyber espionage framework. The report also highlights that the latest attack waves deploying this new suite represent something of a departure from COLDRIVER’s typical modus operandi, signaling a tactical evolution for the group.