One Russia-linked hacking group, COLDRIVER, has even taken the somewhat unusual step of presenting themselves as the authors of new malware families. As of May 2025, these families have lived through several developmental changes. This dramatic uptick in activity is a pretty unmistakable sign of a shift in tactics. In the past, operations targeted high-value targets, like employees of NGOs, policy advisors, and dissidents, in order to steal credentials.
Cybersecurity researchers undertook surveillance of COLDRIVER’s developing techniques. The latest attacks point to a new higher “operations tempo” from the group, showing a more determined turn toward cyber threats to support strategic objectives. This latest advancement has serious implications for the future of cybersecurity worldwide.
Recent Malware Campaigns
COLDRIVER has shown a history of developing intricate malware families. Two other impressive examples are NOROBOT and MAYBEROBOT, otherwise known as BAITSWITCH and SIMPLEFIX. During the waves of attacks in January, March, and April 2025, the group deployed information-stealing malware called LOSTKEYS. These intrusions set the stage for the newly discovered “ROBOT” family of malware.
We had only captured two deployments of YESROBOT until today. Both events occurred over a two-week period toward the end of May 2025. The debut of YESROBOT came right on the heels of public discovery of LOSTKEYS info, hinting at a tactical repositioning in COLDRIVER’s business practices.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
These strides in malware development further illustrate COLDRIVER’s dynamic nature and resolve to improve its cyber prowess.
Arrests Related to COLDRIVER
In another encouraging sign, the Netherlands’ Public Prosecution Service said today that they suspect three Dutch men, all 17 years of age, of rendering services to a foreign government. One of these suspects is said to have ties to COLDRIVER. Police arrested two suspects on September 22, 2025. The third suspect, now under house arrest, is playing a minor role in the case.
The most alarming finding from the investigation was that this suspect instructed others to survey Wi-Fi networks a number of times within The Hague. This stunning revelation only further questions their ties to the Russian-affiliated cybercrime group.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
These arrests highlight continuing police work to stop such cyber threats that require cooperation with our foreign partners.
Analysis of Cybersecurity Implications
With the latest spike in COLDRIVER’s malware campaigns, this new strain has recently come under fire from cybersecurity experts worldwide. Zscaler ThreatLabz continues to monitor COLDRIVER’s activities and its many malware families operating under different aliases. Our goal with this analytical focus is to deliver greater understanding of the dangerous, expanding threat landscape that has emerged as a result of state-sponsored hacking groups.
As cyber threats become increasingly sophisticated, understanding the tactics employed by groups like COLDRIVER is essential for organizations and governments alike. These larger strategic shifts indicate a clear imperative for greater cybersecurity awareness, action, and foresight across all sectors.