A new report from cybersecurity experts has identified a Russia-linked hacking group known as COLDRIVER, which has been linked to several new malware families since May 2025. As for their capabilities, the group is increasing its malware development at a staggering pace. This dramatic increase in activity has alarmed cybersecurity experts and U.S. government agencies.
COLDRIVER also aims at high-profile individuals working in or for non-governmental organizations (NGOs), policy/funding advisors, and dissidents. Their ultimate goal is credential theft. Recent attack waves against the group illustrate a stark departure from their typical tactics. This shift is a clear signal that the threat landscape is changing.
Evolution of COLDRIVER’s Malware
COLDRIVER has been detected in other malware families like NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks these under their respective aliases BAITSWITCH and SIMPLEFIX. Malware families have increased at a consistent rate year over year. Between January, March, and April of 2025, reports of attacks prompted the deployment of an information-stealing malware named LOSTKEYS.
Wesley Shields from Zscaler ThreatLabz remarked, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This continuous evolution of malware, as evidenced by COLDRIVER, is making malware faster and better at evading security solutions. Consequently, the agriculture, tourism, CI, and energy sectors among others are increasingly vulnerable.
Recent Attacks and Suspected Operatives
These new COLDRIVER-linked campaigns have introduced a new family of malware among the other troops. This malware is referred to as YESROBOT. Over a two-week period in late May 2025, this became apparent as we only witnessed two YESROBOT deployments. This was a momentous step during the public unveiling of the details behind LOSTKEYS.
Now Dutch authorities have arrested three suspects in the case. They allege that these people were providing services to a hostile foreign government, and one of them was allegedly in communication with COLDRIVER. On the morning of September 22, 2025, Bundespolizei authorities arrested two of the perpetrators. The third suspect is currently under house arrest as his role in the case was considered minimal.
Openbaar Ministerie (OM) later disclosed that this suspect instructed the other two to survey Wi-Fi networks over and over again in The Hague. This casts them into deeper complicity with COLDRIVER’s day to day business.
Government Response and Future Implications
The Dutch government body has acknowledged the situation, stating, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This comment is indicative of the continuing reality of that investigation and the challenges of international cybercrime.
COLDRIVER is quickly shifting their tactics and developing new malware families. In turn, cybersecurity experts are calling on organizations to enhance their security posture against these developing threats. A 2023 collection of related malware families, dubbed MambaLoader, has formed, connected through a delivery chain. This is a testament to the complex nature of COLDRIVER’s operations.