A Russian-linked logging and stealing malware public sector, hackTo be sure, this group mostly goes after the easy to reach, high-profile big fish. Their targets include members of NGOs, policy advisors, and dissidents — particularly for credential theft. Recent changes to how they attack suggest something is different this time—they’re moving away from their typical modus operandi.
COSDRIVER’s malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively. The rise of these new malware variants is a clear indication the group’s continued maturation and sophistication in cyber warfare tactics.
Recent Developments in Malware Families
Since its release in May of 2025, COLDRIVER has gone through many updates which have made their malware increasingly effective. The group’s latest attack waves showcase a marked departure from its established methods, indicating a strategic pivot in their operations.
Beyond NOROBOT and MAYBEROBOT, COLDRIVER has recently launched LOSTKEYS, a new type of information-stealing malware. This variant has already established itself during observed attacks in January, March, and April of 2025. LOSTKEYS was just released into the wild. Meanwhile, the “ROBOT” family of malware has been recently released, showing that there is a concerted effort to develop and hone tactics.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
The latest variant, YESROBOT, has been released on two documented occasions. This deployment took place over a two-week stretch in late May 2025. The information about LOSTKEYS was released right before YESROBOT’s premiere. Given this timing, a deeper question emerges about the strategy behind these attacks.
Connections to Suspected Individuals
Authorities suspect three 17-year-old men of booking shows for COLDRIVER and possibly helping a foreign government. One suspect even reportedly kept ties with a hacker group tied to the Russian government. The case has received considerable attention as two of the suspects were arrested on 9/22/25.
The investigation into these individuals is being supervised by the Netherlands’ Public Prosecution Service (Openbaar Ministerie). One co-defendant is still under house arrest because of the minimal involvement in the actions we’re investigating. The prosecution claims that these people fed information to COLDRIVER in exchange for cash payments.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
According to police, one of the suspects had instructed the other two to scan for wifi networks in The Hague multiple times. This instruction makes them even more liable for engaging in clearly bad faith conduct.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
Ongoing Investigations and Implications
Dutch officials have launched an extensive investigation into the case. They’ve made clear that there is no indication of such pressure being exerted on the suspect associated with the Russian-affiliated hacker group. This declaration is an important step toward acknowledging that every suspect should be treated equally and fairly. At the same time, it continues to downplay the severity of their claimed behavior.
The tactic evolution of COLDRIVER and their latest attacks highlight the increasing sophistication of cybercriminal operations. COLDRIVER highlights the threats that cybersecurity professionals face worldwide. While it’s constantly adapting to new security measures, it’s populating its ecosystem with the latest, most creative malware variants.