In an interesting twist, the Russian-linked hacking group COLDRIVER has kicked up its cyber operations. For one thing, they’ve released three new malware families, a huge departure from all that we know them to be. COLDRIVER often focuses on high-profile targets in non-governmental organizations (NGOs), policy advisors, and dissidents for credential theft. In their most recent campaigns, they have rolled out new malware that allows for deeper and more complicated cyber intrusions.
This latest families’ introduction follows a reported string of incidents during 2025. Most notably, the group largely used an information-stealing malware named LOSTKEYS in these operations, particularly across the January, March, and April efforts we’ve tracked. Following these intrusions, COLDRIVER has developed the “ROBOT” family of malware, which includes two distinct variants: NOROBOT and MAYBEROBOT. These were originally reported by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively.
Increased Operations Tempo and Evolution of Malware
Since debuting in May 2025, COLDRIVER has shown significant increase in operational tempo, with dozens of iterations of its new malware. The group’s recent moves suggest they are, or at least planning to, change their strategy. That indicates a strategic re-aiming at higher-end, more sophisticated cyber espionage tools.
Wesley Shields, a cybersecurity researcher, on the advancement of NOROBOT and its infection chain. He described how NOROBOT and its initial infection chain are ever-changing. First, they reduced their design to the bare minimum to increase the odds of a successful deployment, only to add complexity back by introducing key-splitting cryptography. This developmental re-assessment illustrates the group’s intent to evade detection systems. It hopes to increase its capacity for long-term intelligence-gathering operations against high-value targets.
Shields particularly highlighted the repercussions of this rapidly changing landscape. Secondly, he explained how the group’s efforts to avoid detection systems are keeping them in the game, freeing them up to continue gathering intelligence on high-value targets.
Recent Arrests Linked to COLDRIVER Activities
According to the investigation, the Netherlands’ Public Prosecution Service has opened a capital criminal investigation into three 17-year-old men. They are accused of providing services to a third party government for the purposes of COLDRIVER. One suspect allegedly had links to hackers working under the direction of the Russian government. On September 22, 2025, law enforcement arrested two of the perpetrators. The reason the third suspect has been placed under house arrest rather than detention is due to their limited involvement in the case.
According to the Openbaar Ministerie (OM), the clients paid the suspects to gather and provide information that was of interest to them. That all this data can be easily repurposed for digital espionage and cyber attacks. At this point, they noticed this suspect was training the two other men to triangulate Wi-Fi networks. This now happened over a few dates in The Hague. This new creation is a prime example of how young people may find themselves caught up in dangerous international cyber activities, even inadvertently supporting bad-hacking organizations.
New Malware Introductions and Implications
COLDRIVER’s recent introduction of YESROBOT is another major advancement in their malware arsenal. In late May 2025, YESROBOT was used in two different installations over the course of two weeks. This action came just days after the public got their first glimpse into the details surrounding LOSTKEYS. The timing of these releases is very problematic and suggestive of possible ties between them and current cyber operations.
As this hacking group adapts and gets better at what it does, cybersecurity experts are ever vigilant. This change in COLDRIVER’s operational strategies may foreshadow further aggressive campaigns against government and corporate targets worldwide. Public Prosecution Service’s Dutch government body was puzzled by the development. As they wrote, “So far, there are no signs that any pressure has been applied on the suspect, who was in touch with the hacker community linked to the Russian government. This quote really highlights the challenges of cyber investigations to give law enforcement agencies just a glimpse into these continually emerging threats.