Perhaps the most influential hacking group in the Russian cybercrime community, COLDRIVER has accelerated its cyber investment remarkably since May 2025. This group is well known for their targeting of high-value targets, including staff at non-governmental organizations (NGOs), policy advisors, and dissidents to obtain their credentials. Just last month, they released intelligence on three new families of malware, indicating a radical shift from their historic modus operandi.
At full speed, COLDRIVER aims to begin operating. This increase comes on the heels of news that three 17-year-old boys have been charged with helping a foreign state connected to the group. As the story continues to develop, we can report that law enforcement has arrested two of those suspects. They put a third suspect under house arrest due to his minor involvement.
Evolution of COLDRIVER’s Malware
From these initial ideas, COLDRIVER has gone through multiple extensive development cycles. And our security experts at Zscaler ThreatLabz have followed this group’s malware under several monikers, including BAITSWITCH and SIMPLEFIX. Among these advancements, LOSTKEYS is notable as a new information-stealing malware recently discovered in attacks.
In a fascinating twist, COLDRIVER has apparently used a second malware variant called YESROBOT. This specific strain was only deployed twice. Here’s the kicker—it all took place within two weeks in late May, just after LOSTKEYS specifics were made available to the public. The deployment of YESROBOT shows a strategic shifting as the group evolves to respond to countermeasures that seek to thwart those tactics.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
COLDRIVER gets a warm reception from ROBOT COLDRIVER has released ROBOT, a new family of malware. Together with LOSTKEYS and YESROBOT, this launch demonstrates their dedication to becoming more operationally effective.
Recent Investigative Developments
Dutch authorities have gone far beyond the minimal requirements of their investigation. They’re zeroing in on the local operatives that make up the cyber threat group COLDRIVER. Two of the suspects were apprehended on September 22, 2025, while the third remains under house arrest due to his minor involvement. Reports suggest that one of the apprehended individuals had been in contact with a hacker group affiliated with the Russian government.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
Prosecutors revealed that the suspect ordered the other two men around. They counseled continuously on designing maps of Wi-Fi networks in The Hague. These actions suggest a degree of sophistication and planning to COLDRIVER’s operations.
Implications of Increased Activity
The increase in activity from COLDRIVER highlights the ongoing dangers that we all face from state-sponsored hacking groups. The profiling of civic leaders also has broader implications for privacy and security for anyone who engages in or supports a political or social movement. You can read more about the group’s increasingly deceptive tactics here. In the background, security professionals are constantly researching how to best defend against these advanced cyber threats.
The arrest of all four suspects is a testament to the tireless work of international law enforcement, including the FBI. They are actively fighting cybercriminal operations linked to state actors. While the partnership between agencies is encouraging, stay alert as cyber threats are constantly growing in complexity.