A Russia-linked hacking group known as COLDRIVER has recently been linked to new malware families that represent a significant evolution in their cyber capabilities. This development comes on the heels of unprecedented COLDRIVER action. Their indiscriminate activities have been attributed to dozens of attacks targeting prominent members of non-governmental organizations (NGOs), policy advisors, and dissidents. The attacks have increased after May 2025, highlighting a disturbing change in the group’s operational tempo.
Cybersecurity researchers have observed that COLDRIVER’s most recent malware variations deviate from its usual targeting patterns. In the past, the group had targeted credential thieves at the behest of one specific person, but now, it seems, they’ve expanded their game plan. The malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. These malware families serve an important function to support the operations of COLDRIVER. Furthermore, LOSTKYI, a highly advanced form of information-stealing malware, has been used in subsequent attack waves in January, March, and April 2025.
Increased Operational Tempo
Since May 2025, COLDRIVER has been showing a higher “operations tempo”—military lingo for a more aggressive speed and frequency of attacks—that’s clear from the uptick in their hacking activities. Until now, the group has chiefly targeted organizations by stealing credentials from high-value individuals. Yet the newest wave of attacks represents a significant departure from this script. The deployment of the “ROBOT” family of malware during these intrusions marks a new development and perhaps a widening of their strategic aims.
Cybersecurity expert Wesley Shields explained how the malware function of COLDRIVER has evolved. He noted, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This evolution is indicative of how sophisticated COLDRIVER’s tactics are and reminds organizations of the risk they still face.
Second, YESROBOT has been deployed in just two cases, during a concentrated two-week period in late May 2025. It was a serendipitous time and place for the public release of information about LOSTKEYS. This indicates that COLDRIVER is rapidly evolving to better take advantage of the new intelligence or weaknesses.
Legal Actions Against Suspects
The Netherlands’ Public Prosecution Service (Openbaar Ministerie) has just dropped some thrilling news. They’ve identified three 17-year-old males as suspects, who provided said services to a foreign government associated with COLDRIVER. The agency said that they arrested all four of the suspects as of this past Tuesday, Sept. 22, 2025. For now, their alleged accomplice, the third suspect, remains on home detention. Police have stressed that the suspects were not engaged in innocent efforts such as mapping out Wi-Fi networks, as they had done in The Hague, Netherlands.
The Openbaar Ministerie stated, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This Icelandic revelation only serves to sharpen this dynamic and openings for partnership between on-the-ground actors and transnational, global hacking networks such as COLDRIVER.
Even with this new movement reported, authorities still do not see clear indicators of pressure on the suspect. The defendant still has ongoing communications with COLDRIVER. The lack of pressure creates a protective bubble around their interests that removes any incentive for them to engage. It leads us to speculate just how little they actually provided to COLDRIVER’s successful running.
Ongoing Cybersecurity Concerns
In COLDRIVER, we’ve shown new malware families that are growing in popularity. This surge requires increased awareness and watchfulness from cybersecurity communities across the globe. Zscaler ThreatLabz researchers are closely monitoring these threats. They note that the development of COLDRIVER is indicative of a wider series of interrelated malware families connected by a delivery chain.
Cybersecurity professionals today are on the front lines fighting against the risks that COLDRIVER and other APTs represent. At the same time, these organizations need to dramatically improve their defenses to keep pace against advanced cyber threats. Law enforcement agencies can’t do it alone and must work in tandem with cybersecurity companies. This collaborative effort is key as we work to stay ahead of rapidly changing hacker techniques.
