A Russian-linked hacking group known as COLDRIVER has recently been identified as the source of three new malware families. As with most malware strains, these malicious variants have continued to develop since May 2025. This commission has been responsible for routinely and actively going after very high-profile targets. Specifically, they target individuals working in NGOs, policy advisors and other dissidents to obtain credentials. Security analysts attribute COLDRIVER’s activities to elements within the Russian government, raising concerns about the implications for digital security and espionage.
Other variants of COLDRIVER’s malware, discovered and followed by Zscaler ThreatLabz, like BAITSWITCH and SIMPLEFIX. The group’s disruptive efforts have been documented in various blistering waves discussed between January, March, and most recently, April 2025. This third wave marks a new front in their signature, all-out-on-the-offense playbook. The group is clearly iteratively fine-tuning its approaches in order to maximize the success of its cyber-based attacks.
Evolving Malware Landscape
Throughout this endeavor, COLDRIVER has shown an impressive capacity to respond creatively to their shifting terrain and develop new techniques and tools. The newly discovered malware families NOROBOT and MAYBEROBOT are only the latest addition to a larger evolution of COLDRIVER’s malware arsenal.
This flexibility allows COLDRIVER to remain undetected by security measures and relevant in an environment where the cyber terrain is constantly shifting. Shields further emphasized that this malware represents “a collection of related malware families connected via a delivery chain,” highlighting the intricate web of cyber threats posed by the group.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
The recent exploits of COLDRIVER have not been received quietly by law enforcement officials. The Netherlands’ Public Prosecution Service (OM) has launched investigations into the group’s actions. To be clear, they’re not going after just any 17-year-old male. These people are believed to be providing services to COLDRIVER, potentially at the direction of a foreign government.
Recent Attacks and Investigations
“This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” stated a representative from OM. Perhaps more importantly, this disclosure highlights the organization’s highly calculated strategy for intelligence collection and target selection in their cyber operations.
Furthermore, the OM reported that “the information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This comment points to the commercial aspect of COLDRIVER’s work. It illustrates how stolen data must be made unavailable and harmless to the world.
The impacts of COLDRIVER’s actions go far beyond credential theft. The collective has deployed one of the most powerful pieces of info-stealing malware, LOSTKEYS. The scale of their operational capabilities gets exponentially stronger because of this software. Their later forays were responsible for the birth of the “ROBOT” family of malware. This new development adds a layer of complexity to our ongoing efforts to hold their activities at bay.
Implications of COLDRIVER’s Activities
Even amid the investigators’ disconfirmation, there is still some doubt about the pressure brought down on suspects related to COLDRIVER. A Dutch government body commented,
This uncertainty is indicative of the difficulty that law enforcement agencies have in mitigating the advanced tactics used by COLDRIVER.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
This uncertainty reflects the challenges faced by law enforcement agencies in addressing the sophisticated tactics employed by COLDRIVER.