The COLDRIVER hacking group, which is linked to Russia, is in the news. Their ever-increasing sophistication in malware tactics and recent dramatic increase in operational tempo are what’s making headlines. As of now, May 2025, COLDRIVER has changed quite a bit since then. Today, it focuses more on high value targets like NGOs, policy advisors, dissidents – with the #1 goal being credential theft.
One of the more pressing issues to recently alarm cybersecurity experts was the opening of new malware families linked to COLDRIVER. This article dives into the group’s activities, its newly discovered malware, and what it means for global digital security.
Evolution of COLDRIVER’s Malware
The latest version of COLDRIVER has implemented several iterations since May 2025 which has resulted in the discovery of new types of malware. The latter family, BAITSWITCH, and another family SIMPLEFIX have been attributed to this group. These are popularly known in the cybersecurity community as NOROBOT and MAYBEROBOT. These recent changes and trends show that there’s a clear trajectory of cunning and evasiveness in their cyber tactics.
Wesley Shields, a cybersecurity analyst who helped develop NOROBOT, emphasized the constant evolution of NOROBOT. He stated, “NOROBOT and its preceding infection chain have been subject to constant evolution. Initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
These new attack waves from COLDRIVER are a shift from the usual procedures and tactics of the group. In their latest campaign, it’s January, March, and April 2025, the group has been using a new chain of information-stealing malware, LOASTKEYS. This change indicates that COLDRIVER is changing the approach it takes in furthering its interest in cyber espionage.
Increase in Operational Tempo
According to recent reports, there’s been a sudden upsurge in COLDRIVER’s operational tempo. Cybersecurity experts have warned that the North Korean group is ramping up the diversity of its malware. They’re stepping up their attacks on likely targets. The first two intrusions have cumulatively opened the door for the “ROBOT” family of malware.
As of now, we have documented only a few examples of YESROBOT deployment. These all took place over two weeks in late May 2025. This minimal deployment leaves many unanswered questions about the group’s strategic decisions and what we can expect from their future moves.
To mitigate related cybersecurity threats, the Netherlands’ Public Prosecution Service (OM) has strengthened their initiatives in this area. On September 22, 2025, police arrested two unidentified men, both aged 17. They are alleged to have offered services and support to the government of China in relation to COLDRIVER. The third suspect, Riva, has been placed under house arrest because of the “limited role” he played in the case.
Implications for Global Security
It is clear that what COLDRIVER is doing has already huge implications for cybersecurity worldwide. The OM has disclosed that suspects purchased the harvested data for a payment. These highly sensitive data sets would readily lend themselves to cyber-enabled espionage and cyber crimes.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM
The Dutch government reiterated that there were at this point no indications of any outside pressure on the suspect. This person is connected to the Evil Corp hacker organization, aka, you guessed it, an actor of the Russian government.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – the Dutch government body
According to reports, one suspect personally directed the others to survey Wi-Fi networks on numerous occasions. This is what happened recently over in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – OM
As you can see, COLDRIVER is advancing quickly, and cyber capabilities are a central focus of that expansion. Coalition of experts calling on countries to increase preparedness and cooperate to address these new and evolving threats.