A new investigation found that COLDRIVER, a Russian-linked hacking group, developed three new types of malware used in Chinese cyberespionage. Such mass data downloads would be consistent with their long running cyber operations. Usually the group has focused on high-profile targets such as NGO staff, policy advisors, and dissidents to obtain their credentials. Over the past few months, they have dramatically changed their strategy. This remarkable evolution speaks to both a dramatic increase in operational tempo and a move to cover their tracks against the world’s foremost adversaries—cybersecurity researchers.
Since May 2025, COLDRIVER’s work has gained recognition, as it underwent several exploratory developmental drafts and iterations. The group’s latest wave of attacks showcases a departure from its previous modus operandi, indicating a strategic pivot in its approach to cyber espionage. Each year, new malware families are created as a direct result of the group’s more advanced and technical methods. These education-focused advances have resulted in a number of successful intrusions.
Emergence of New Malware Families
Cybersecurity specialists as well as other organizations like Interpol have linked various malware families, such as NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks these threats as BAITSWITCH and SIMPLEFIX, respectively. Recent operations of COLDRIVER have led to the discovery of new variants of malware seen in these operations. According to the reports, these variants are being used to deploy an information-stealing malware known as LOSTKEYS.
Research shows that COLDRIVER’s later intrusion set has opened the path for the “ROBOT” malware family. In reality, there have only been two successful YESROBOT deployments. These all happened during a two-week period at the end of May 2025. These deployments occurred just as news of LOSTKEYS was made publicly available. This timing suggests a possible campaign to take full advantage of the detailed information received.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Legal Actions and Suspects
In another positive, if somewhat surprising, news development, the Netherlands’ Public Prosecution Service made an unexpected announcement. Four 17-year-old U.S. men charged with providing services to a foreign government, allegedly linked COLDRIVER Bursting the bubble. One of the suspects is believed to have been in contact with the hacker group affiliated with the Russian government. Two suspects were arrested by authorities on September 22, 2025. As for the third suspect, they put him under house arrest due to his limited involvement in the case.
We believe that one of the suspects was actually sort of directing the other two. Their mission included mapping Wi-Fi networks several times across The Hague—most likely in the service of espionage. These people allegedly transmitted the gathered data to paying clients within seconds. This may just be the opening salvo for an upcoming wave of cyber attacks.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
Evolving Tactics and Ongoing Monitoring
Cybersecurity researchers remain on high alert for COLDRIVER’s next move. The group’s recent advancements suggest a deliberate effort to evolve and adapt its tactics in response to heightened scrutiny from security professionals. The Dutch government has now accepted that there was no proof of coercion applied on the suspect. This person is reportedly the one who has been in direct communication with the hacker collective.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – The Dutch government body
