In what we can only consider a whiplash pivot in cybersecurity, the threat actor COLDRIVER has released the first of a new family of malware. They’ve dubbed it ROBOT. This Russian-linked group has been active since at least May 2025, advancing its malware through multiple iterations. It is said that the operations of COLDRIVER have accelerated, suggesting a faster pace of cyber activity from them.
Zscaler ThreatLabz has tracked COLDRIVER’s malware under a number of different aliases. These variants include BAITSWITCH and SIMPLEFIX, the two concrete variants that represent NOROBOT and MAYBEROBOT. Cybersecurity experts are understandably concerned about the spread of this malware. It has links to previous activity using the information-stealing malware LOSTKEYS.
Increased Activity and Deployment
Recent intelligence indicates that COLDRIVER’s operations have significantly increased, including prominent deployments in late May 2025. The increase in operations occurred immediately following public announcement of LOSTKEYS. This tool had already been used in attacks as early as January, March, and April of the same year.
Such a focused malware deployment was only observed for a two-week timeframe, highlighting a targeted strategy from the hackers’ side. Interestingly, our foreclosure teardown experts suggest that the fair ROBOT bill’s introduction might be a direct response to increased scrutiny in the wake of past breaches.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
This latest evolution is a testament to COLDRIVER’s flexibility and purpose to stay as a powerful danger in the cyber protection ecosystem.
Suspects Under Investigation
The Netherlands’ Public Prosecution Service (Openbaar Ministerie or OM) already has three identified suspects behind COLDRIVER collective. This announcement should be a huge turning point within the case. Federal authorities allege that these teenagers provided illegal services to a hostile foreign power. One of them is accused of continuing to communicate with a person identified as COLDRIVER.
Two of the alleged assailants were seized September 22, 2025. The third suspect is under house arrest as a result of his peripheral role in the kidnapping. Those roles are now the focus of authorities’ investigations and whether their proactive approach connects them to the orchestrated infiltration of the hacking group.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
The prosecution service is understandably taking a particularly close look at the evidence before proceeding against these young men. Their actions might have been important in enabling COLDRIVER’s cyber operations.
Implications for Cybersecurity
The rise of ROBOT and the continued efforts against these perpetrators serve to highlight the ongoing, huge hurdles cybersecurity specialists face. COLDRIVER continues to refine its methods and grow its reach. Therefore, we need to deploy the most robust defenses in all our efforts to detect and defend against these constantly evolving attacks.
Those suspects used that information which they had allegedly sold or shared with their paying clients to make a profit. This raises red flags about potential espionage and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
DOT officials are currently tracking these suspects and keeping tabs on COLDRIVER’s operations. At the same time, the international community must remain on guard against any such malign cyber actions by this Russia-linked group.