Cybersecurity researchers at Group-IB have uncovered a new family of malware attributed to the Russian hacking group formerly known as COLDRIVER. This group has been on cyberspace since at least May 2025. They definitely have scaled up their activities at a dizzying rate. Our latest discoveries NOROBOT & MAYBEROBOT and what they mean for international cyber security Emerging cyber threats Malware cyber security.
Our security researchers at Zscaler ThreatLabz have been tracking this uniquely evolving malware landscape tied with COLDRIVER. While the group has created over two dozen strains, NOROBOT and MAYBEROBOT were rebranded as BAITSWITCH and SIMPLEFIX, respectively. Both changes mark a strategic expansion of COLDRIVER’s targeting of cyber threats – possibly widening the net to include organizations across the globe.
COLDRIVER’s Malware Evolution
COLDRIVER’s malware has seen several developmental revisions already since it first appeared on the cyber-threat landscape. The group appears to have stepped up its “operations tempo,” indeed indicating a high-level, intentional drive to improve the group’s capabilities in the cyber domain. Among its well-documented malware families is “ROBOT,” which has been re-deployed after the graffiti was initially compromised.
Between January, March, and April of 2025, the group released LOSTKEYS, a type of malware that steals information. The ramifications from these encroachments opened the door to the birth of the ROBOT brood. YESROBOT quickly developed as a new offshoot, only completing two deployments in late May 2025. This immediately brings an uncomfortable question to the group’s operational tactics. Given that the announcement of LOSTKEYS had just gone live, this deployment was particularly well timed. Chiefly, it demonstrates a transparent, real time response to evolving security policies.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
COLDRIVER’s malware continues to adapt to the obstacles it faces. This is a testament to the group’s remarkable capabilities to adjust to the countermeasures deployed by cybersecurity defenders.
Arrests Connected to COLDRIVER Activities
On September 22, 2025, the Netherlands’ Public Prosecution Service released an important statement. They announced that they had arrested three young men believed to be associated with COLDRIVER. All of the suspects are 17 years old. They are accused of working for the benefit of a foreign government and one of them reportedly reached out to a hacker group associated with Russia.
The criminal investigation, led by the Dutch government body Openbaar Ministerie (OM) has now led to the arrest of two suspects. The third suspect is under house arrest for the time being, because officials say they had a “limited role” in the case. The participation of these young men gives one pause to consider how these young recruits were recruited in the first place by hacking groups such as COLDRIVER.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body
This recent advancement informs the continued dangers with youth participation in cybercrime. Furthermore, it underscores the pressing requirement for more targeted educational efforts dedicated to cybersecurity.
Implications for Global Cybersecurity
While cybersecurity teams such as Zscaler ThreatLabz will continue to watch and stay one step ahead of COLDRIVER’s actions, the future of global cybersecurity is impactful. The malware deployed by this group has potential applications for digital espionage and cyber attacks, threatening organizations beyond national borders.
According to the OM, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” We’re glad to see this statement, which recognizes the dangerous implications of allowing sensitive data to be commodified. It issues a disclaimer about not using it for anything malicious.
The increasing complexity of advanced malware families and their new rapid times to maturity indicate we’re in a digital frontier arms race. As COLDRIVER goes further afield in its operations, the organizations that are targeted need to strengthen their defensive posture and remain aware of new and evolving threats.