One such recent investigation has brought a surprising revelation. The Russia-linked hacking group previously called COLDRIVER has developed three new families of malware as part of an impressive ramp-up in their cyber-operations. Since May 2025, this group has taken many developmental cycles. Most notably, they have honed in on credential theft against high-profile members of non-governmental organizations (NGOs), policy advisors, and dissidents. These findings, disclosed by Zscaler ThreatLabz, illustrate the increasing threat landscape presented by COLDRIVER.
COLDRIVER’s malware has been detected under the names BAITSWITCH and SIMPLEFIX, and its operations tempo has been increasing significantly. The group’s latest wave of attacks showcases a departure from its usual tactics, introducing new malware families such as NOROBOT and MAYBEROBOT. This pivot in strategy has led to questions about the group’s seriousness and ability from the outset.
Recent Developments in COLDRIVER’s Operations
On September 22 Openbaar Ministerie (OM), the Dutch public prosecution service, reported that they had arrested three persons of interest. Connections of these suspects to the international COLDRIVER activity. The most wrenching story These 17-year-old men were merely offering services to a foreign government. Their feedback largely informed the development of COLDRIVER’s malware. After the attack, authorities arrested two suspects in connection with the crime. The third suspect is still under house arrest due to their peripheral role in the case.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
According to the OM, one of the suspects was allegedly in contact with a hacker group affiliated with the Russian government. This relationship might allow for a deeper understanding of the on-the-ground strategies and resources that are available to provisions in COLDRIVER.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
These disclosures indicate a joint conspiracy among the defendants. Collaborating cybercriminals to develop more advanced COLDRIVER capabilities further burdens the security environment for targeted entities.
Malware Families and Evolving Techniques
Because of COLDRIVER’s malware arsenal, we have different families that have made drastic changes throughout the years. Since their initial infection chain, the NOROBOT family has undergone rapid development. At first, simplified to improve success rates of deployment, the malware in turn added that complexity back in by dividing cryptographic keys.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Learn about COLDRIVER’s deployment of a new variant of information stealing malware, LOSTKEYS. Beyond NOROBOT, they have rolled out the “ROBOT” family of malware. By using this mixed toolbox, the collective is able to vary their tactics and keep a constant level of danger to their intended targets.
At the end of May, COLDRIVER sent YESROBOT out for a two-week long deployment. To date, this has been the only known case of this particular malware detected. The limited spread of YESROBOT may indicate a testing phase or an effort to refine its functions for future use.
Implications of Increased Activity
This recent uptick in COLDRIVER’s operations is indicative of the evolution and increasing complexity of cyber threats associated with state-sponsored hacking groups. As we’ve mentioned, entities are of course learning how to create new malware and refine their tactics. Cybersecurity organizations across the globe continue to undermine their cybersecurity with complacency and negligence.
As of Tuesday morning, authorities had not responded to the question of whether any applied pressure to the suspect. This person is linked to a Russian-affiliated hacker collective. Though investigations are still ongoing, experts cautioned that the consequences of such developments could go much further than each specific case, negatively affecting cybersecurity initiatives worldwide.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – The Dutch government body