Google has found a dozen new malware families linked to the Russian hacking group COLDRIVER. This group has escalated its activities for the past eight months since May 2025. Otherwise, this group usually goes after the high-profile targets. Their primary targets are individuals working for non-governmental organizations (NGOs), policy advisors, and dissidents, all in order to swipe credentials. These recent attacks indicate a major step forward in COLDRIVER’s tactics, developing new malware variants into the cyber environment.
As of late, COLDRIVER’s activity has picked up exponentially. This spike aligns with the rollout of LOSTKEYS, an information-stealing malware that emerged on the scene in January 2025 and remained active through March and April. Recent attacks and intrusions—which have included the widespread use of the ROBOCALL family of malware—have contributed to poor cybersecurity and to the group’s dominant strategic mindset to adapt and evolve its cyber tactics.
Evolution of COLDRIVER’s Operations
Developmentally, COLDRIVER has seen the topside flip-of-the-switch on several developmental cycles since its establishment, pointing to a rapid uptick in its eventful operational tempo. This development has alarmed many cybersecurity professionals about what this could mean for our data security and the future of digital espionage.
Zscaler ThreatLabz’s research identifies some of the many aliases that COLDRIVER uses. It has been referred to as BAITSWITCH, SIMPLEFIX, NOROBOT, MAYBEROBOT. Each of these naming conventions reflects a unique malware family associated with this cyber threat actor, showcasing the group’s developing methodologies.
As cybersecurity analyst Wesley Shields noted though, NOROBOT and its infection chain are ever-changing. The deployment scenario was kept pretty simple to ensure high chances of success, but an additional layer of complexity was added when splitting up cryptography keys. This observation emphasizes the sophistication of COLDRIVER’s tactics and its capacity to dynamically align itself to the cybersecurity defense ecosystem.
Arrests and Legal Proceedings
In another while-you-were-deleted story, three 17-year-old males have become suspects in delivery of services to a foreign government. Among these people was apparently at least one who was able to set up communication with a different hacking group that weindo that’s connected to the Russian government. In a joint press release, the Dutch government agency Openbaar Ministerie (OM) confirmed that two suspects were arrested on 22 September 2025.
The third suspect, identified as Jovan M. Thelwell, is still on house arrest, with authorities noting what they call his “limited role” in the case. Further interrogation by OM led them to understand that the suspect instructed the other two to plan out Wi-Fi networks. This was the case many times at The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
Now, authorities have admitted that they sold the data they took to paying clients. This practice has led to serious worries about future uses in digital espionage and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
New Malware Deployments
Though the COLDRIVER actor group has used stolen credentials to cause substantial harm, fixing this problem is non-negotiable. In addition, they’ve deployed malware such as YESROBOT. As CTI, this is only the 4th time we’ve tracked this specific piece of malware. In late May 2025, there were only two reported cases in a whole two-week period! Significantly, this deployment happened just a few months after the particulars of LOSTKEYS were made public, indicating a clever strategic move by COLDRIVER.
Despite the ongoing questions and concerns about potential future attacks, it’s been a positive week for cybersecurity experts working to track the evolving situation. According to the Dutch government body, there are no signs of any pressure being placed on the suspect associated with the hacker group that supposedly works with the Russian government. They are indeed doing serious and ongoing detective work on what this group has been up to.