Another hacking group with ties to Russia recently made headlines—COLDRIVER. Its methods and instruments in the field of cyber espionage are changing at a pace unprecedented. In the past, this group has focused on stealing credentials from NGOs, policy advisors, and dissidents. In recent months, they have shifted their approach and released a number of new malware families. The group’s expanded operations have increased the group’s scope, impact, and reach, alarming the global cybersecurity community.
Since the launch of COLDRIVER in May 2025, we’ve seen a significant upsurge in operational tempo. The group is best known for developing a number of new malware families, in particular NOROBOT and MAYBEROBOT. Zscaler ThreatLabz has been tracking these threats, referring to them BAITSWITCH and SIMPLEFIX, respectively. If accurate, these developments would represent an aggressive departure from COLDRIVER’s prior tactics, a sign of a more hawkish approach to the targeting of high profile people.
Evolution of COLDRIVER’s Malware Tactics
COLDRIVER’s new wave of attacks have been marked by a creative shift in malware building. The group’s previously known malware, especially LOSTKEYS, was used in at least three waves from January, March, and April 2025. After these intrusions, COLDRIVER released the “ROBOT” family of malware, a new variant of which, YESROBOT, was recently detected.
To date, there have only been two recorded YESROBOT deployments. All of these events played out during a two week stretch at the end of May 2025, just a few weeks after the announcement of LOSTKEYS. This timing points to the fact that hackers are strategic in their retaliation. At the same time, they are learning, adapting and evolving their methods in response to increased scrutiny.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
This evolution highlights not only the group’s technical abilities but their strategic adjustments aimed at overcoming security measures deployed by their targets.
Legal Actions and Investigations
Further compounding the situation is the recent news from the Netherlands’ Public Prosecution Service about their case against three of the suspects, all 17-years-old. Law enforcement officials suspect that these individuals were acting at the behest of a foreign government. They claim that all but one of them had personal ties to a hacker group associated with the Russian government. This troubling trend is highlighted in the recent announcement of an investigation of youth participation in cybercrime associated with international espionage campaigns.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body.
What’s more shocking is that on several occasions, the prosecution showed that one of the suspects instructed others to drive around The Hague to map out local Wi-Fi networks. This intelligence might even help them to enable more offensive cyber operations.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – OM.
These initiatives indicate a more complex collaboration ecosystem between local actors and foreign criminal enterprises. The implications are alarming, not just for our national security, but for corporate security.
Implications for Cybersecurity
The new malware families that COLDRIVER has released definitely ramp up the workload for cybersecurity professionals. As these state actors hone their techniques and broaden their attack surface, organizations need to be more proactive than ever. Malware such as NOROBOT, MAYBEROBOT and YESROBOT are constantly developing. This should illustrate just how fast the threat actors are able to pivot and weaponize the countermeasures that cybersecurity teams deploy.
This underscores the importance of everyone, from individuals to large organizations, to have strong security practices and be aware of new threats. COLDRIVER’s operations are expanding quickly. This demonstrates the important role ongoing training and awareness plays in the fight against ever-changing cybercriminal tactics.
