COLDRIVER, a hacking group suspected to be operating on Russia’s behalf, has released a second round of cyber threats. They’re especially cracking down on non-governmental organizations (NGOs), policy advisors, and dissidents. Since May 2025, the faction has created a number of malware. Their recently accelerated operational tempo has alarmed cybersecurity experts and authorities alike.
Recent research from Zscaler ThreatLabz illustrates how much COLDRIVER’s malware has advanced. The current versions, NOROBOT and MAYBEROBOT, are now monitored under the aliases BAITSWITCH and SIMPLEFIX, respectively. This evolution represents a move in the opposite direction from the group’s preferred, go-to moves. They are taking a more aggressive approach to digital intrusion and credential theft.
Evolution of COLDRIVER’s Malware
From day one, the malware associated with COLDRIVER has gone through some major developmental stages. As with the most recent attacks, these incidents included the use of information stealing malware (LOSTKEYS) in the first half of 2025. The criminal intrusions occurred in January, March and April. Collectively, they set the stage for the family of ROBOT malware to appear.
According to cybersecurity analyst Wesley Shields, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This marks an important tactical turn in how COLDRIVER conducts business, a direct emphasis on maximizing the impact of its strikes.
The release of YESROBOT is a significant step forward in COLDRIVER’s cyber warfare cyber arsenal. And as far as these observations go, YESROBOT has only been deployed on two occasions. Both deployments only over a two-week period in late May of 2025. This timing matched the public release of LOSTKEYS, implying a deliberate effort to stay one step ahead of heightened public scrutiny.
Arrests Linked to COLDRIVER Operations
This is no ordinary announcement—the Dutch government has just announced a major step. They have apprehended three 17-year-old suspects who allegedly attempted to provide services to a foreign government, with potential ties to COLDRIVER. On September 22, 2025, law enforcement arrested two people. They held the third suspect under house arrest due to a supposed “limited role” in these alleged operations.
The Openbaar Ministerie (OM) revealed that one suspect had been in contact with a hacker group affiliated with the Russian government. The Netherlands’ national government ombudsman echoed this and reported that there is no evidence of any undue pressure put on the suspect. This person was communicating with a hacking outfit organized by and actively supporting their government—the Russian government. This indicates that more major investigations could be needed to determine the full scope of their participation.
The OM uncovered that one of the former suspects was selling the collected data providing caller information for a fee. This information may be a goldmine for digital espionage and cyber warfare. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” the OM noted.
Targeting High-Profile Individuals
COLDRIVER usually focuses on drawing out high-profile individuals working for NGOs, policy advisors, and dissidents. State-sponsored actors use password and credential theft to wage cyber war on civilians. Combined with the questionable motives for this focus, it applies strategic pressure to erode democratic engagement and sow discord among local opponents of state-sponsored misinformation.
Testimony from the OM has shown that one suspected ringleader often instructed others to scout out Wi-Fi networks. This type of activity happened several times while in The Hague. Mainstream media reports affirmed that the suspect directed the other two to scan Wi-Fi networks multiple times. This all happened in The Hague. Such operations show COLDRIVER’s sophisticated tactical methods for collecting intelligence on prospective targets.
These trends indicate an urgent need for stakeholders to be vigilant and proactive. These agencies remain at risk of being targeted by some of the most sophisticated cyber threats known to man. As COLDRIVER continues to adapt and evolve its techniques, cybersecurity experts warn that staying ahead of these threats will require constant monitoring and proactive measures.