The Russian government-sponsored hacking unit COLDRIVER has recently been accused of creating new malware families. This highly concerning news shines a light on the persistent danger we face from this organization. The rapid increase in harmful cyber activity has certainly raised red flags. This has become especially alarming when it comes to high-profile targets such as members of NGOs, policy advisors, and dissidents. Since May 2025, COLDRIVER has changed its tactics a lot. Their approach today is more focused on credential theft.
The Netherlands’ Public Prosecution Service has indicated that COLDRIVER’s operations have gained momentum, with new malware families being tracked by cybersecurity firm Zscaler ThreatLabz. Among the most notable of these positive recent developments are NOROBOT and MAYBEROBOT, both of which are dissected here under the titles BAITSWITCH and SIMPLEFIX, respectively. Recently, COLDRIVER has been observed launching attacks with a newer information-stealing malware known as LOSTKEYS. Unfortunately, these attacks not only lead to further intrusions but also ushered in the new “ROBOT” family of malware.
Increased Cyber Activity
COLDRIVER’s increased restricting activities have been an indication that they are moving beyond their usual actions. The organizations, infamous for going after high profile targets, have shown a quick ability to adapt their malware since this May of 2025. Some observers have noted, for example, that the many developmental versions of malware released indicate a faster operational tempo.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Cybersecurity specialists have warned that COLDRIVER’s new attacks fit into a larger, more strategic approach to attacks to make them more effective. This change has led to deep worries about future digital espionage and cyber attacks aimed at critical industries.
Malware Families and Their Implications
Additionally, new malware families related to COLDRIVER recently discovered are YESROBOT, NOROBOT, and MAYBEROBOT. YESROBOT stands out especially. We just saw those bookings once or twice during a two-week stretch in late May, soon after LOSTKEYS was publicly released. This limited deployment indicates a careful but effective strategy from the hackers.
The implications of these malware families go farther than just credential theft today. According to recent findings by the Openbaar Ministerie, cyber intrusions typically result in the sensitive and valuable information that is stolen being sold for profit. This stolen data is often times then used to conduct additional digital spying.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Cybersecurity analysts are rightly stressing the need for increased awareness among all potential targets. The stakes have never been greater.
Connections to Suspected Individuals
COLDRIVER’s operations have attracted scrutiny because of their extensive ties to known or alleged cyber criminals. In specific, one hacker group tied to COLDRIVER was recently said to be in regular communication with a 17-year-old suspect.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
The Dutch government has accepted this serious person’s denials of all allegations. They do assure that there are no indications of outside coercion related to his dealings with said hacker consortium. This serves as a reminder to the multifaceted nature of cybersecurity threats and the people who can be at times complicity.
