The latest in-depth investigation has revealed that COLDRIVER, a Russia-linked hacking group has made impactful changes in the cybercriminal world. Beyond May 2015 this coalition of partners has continued to adjust and refine its strategies and tactics. They’ve released new malware families, which are a sign of an increase in operational tempo. COLDRIVER has gained particular infamy for specifically going after high-value targets such as NGO personnel, government policy advisors, and dissidents to exfiltrate credentials. This time, their most recent assaults came as a departure from that consistent playbook, enough to raise the hackles of cybersecurity professionals.
Zscaler ThreatLabz has been monitoring the emergence of new malware families. They were able to find NOROBOT using the alias BAITSWITCH and MAYBEROBOT as SIMPLEFIX. These advancements indicate an important inflection point for COLDRIVER’s campaign. Further, they are taking steps to combat anti-detection measures, but their primary focus remains on information theft.
Latest Malware Developments
After a few test runs under the radar, COLDRIVER has recently accelerated its operations with a blitz of attacks in January, March and April of 2025. Salvador ransomware attacks This string of assaults especially culminated in the rollout of LOSTKEYS, an advanced, information-stealing, ransomware-delivering malware. Second, YESROBOT has resurfaced but so far has only been seen in two examples. Most strikingly, it was recorded for more than two weeks in late May, just after information about LOSTKEYS became common public knowledge.
Wesley Shields, a RAND Corporation cybersecurity expert, said that COLDRIVER is developing new types of attacks.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
COLDRIVER, Shields said, is specifically focused on remaining one step ahead of detection systems. This continuous evolution continues to showcase their persistent and innovative attempts in intelligence collection on high-valued targets.
Arrests in the Netherlands
In a related development, the Netherlands’ Public Prosecution Service (OM) announced that three 17-year-old men are suspected of providing services to a foreign government. In one case, one suspect reportedly stayed in touch with a hackers-for-hire group tied to the Russian state. At the same time, authorities arrested two of the suspects on Sept. 22, 2025. At the same time, though, they put their third suspect under house arrest.
The OM claimed that these suspects had previously participated in reconnaissance of Wi-Fi networks in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
Additionally, the OM disclosed that they charged clients to sell them the intelligence they collected through these activities. This would open the door to digital espionage and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM).
Implications of Increased Operations Tempo
COLDRIVER’s escalated operations tempo has gotten the attention of cybersecurity experts. They worry it would give the militant group the development of sensitive data and execute sophisticated digital espionage. Their move in the direction of increasingly complex malware suggests a strategic turn to make their operations more impactful while maintaining a distance from detection.
This announcement speaks to the depth of investigation still continuing on possible suspects’ activities in connection and their possible connection with COLDRIVER.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body.
This statement reflects ongoing investigations into the suspects’ activities and their affiliations with COLDRIVER.