A Russia-linked hacking group known as COLDRIVER has created a new malware. This is a noteworthy increase in their cyber operations. The gang has allegedly made several iterations of its malware since May 2025, suggesting a stepped-up “operations tempo.” That added strain has created alarm amongst cybersecurity experts and law enforcement agencies.
During this latter period COLDRIVER’s malware campaign welcomed a new player to the field, YESROBOT. While YESROBOT has only been deployed in two cases so far, both instances were reported within the span of two weeks. This swift deployment follows the public announcement of a new malware LOSKEYS. In fact, this malware was already known to be behind attacks as far back as earlier this year.
The Evolution of COLDRIVER’s Malware
Perhaps most notable, COLDRIVER’s malware campaign has demonstrated a worrisome arc of development and sophistication. The process Since it first started, the collective has been iterating on their tools and techniques nonstop. This serves to prove their tenacity in making their cyber attacks more targeted and effective. LOSTKEYS malware is specifically designed to steal sensitive information. We witnessed cyber attacks using this malware in January, March, and April of 2025.
The implementation of YESROBOT seems to be a synchronous wave after the implementation of LOSTKEYS. After the intrusions linked to LOSTKEYS, COLDRIVER started creating the “ROBOT” family of malware. Two of these are NOROBOT and MAYBEROBOT, which Zscaler ThreatLabz tracks as BAITSWITCH and SIMPLEFIX respectively.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
Shields is quick to highlight the adaptive nature of COLDRIVER’s strategies. This flexibility gives them the ability to shift their tactics to avoid detection and improve their effectiveness.
Recent Arrests Linked to Cyber Espionage
In another interesting twist, three 17-year-old boys have been arrested on charges of offering assistance to a foreign power. And today, the Netherlands’ Public Prosecution Service made public the arrests they’d announced earlier today. These people have ties to and/or support operations that would help cyber efforts against Russia.
One of the suspects reportedly kept regular contact with a hacking collective tied to the Russian state. Authorities are reportedly trying to determine whether these points of contact allowed access to any dockets, tabs or even custom-tailored files.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
The damage done by the suspects’ alleged conduct would play a role in furthering more comprehensive strategies to carry out digital espionage and/or cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – Openbaar Ministerie (OM)
What’s most important about these arrests are the implications they carry as a whole, reminding us that we’re still very much in danger from state-sponsored, hacking initiatives.
Ongoing Risks and Government Response
So far, the Dutch government has only disclosed the recent pressure on the suspect to escape. Our mystery interlocutor keeps us on the line with this hacker group with ties to Russia. Hopefully this ongoing investigation will prove to show more links between local suspects and international cyber threats.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body
Cybersecurity researchers are keeping a very close eye on COLDRIVER’s moves and its latest malware creations. Threats continue to evolve, and organizations need to do everything they can to shore up their defenses from impending breaches. The increasing sophistication of these cybercriminal enterprises highlights the importance of constant vigilance as well as proactive efforts in cybersecurity practices.