Attribution to the new malware has once again fallen on a hacking group from Russia, named COLDRIVER. Notably, this malware has experienced extreme adaptability since May 2025. This group often focuses on high-profile members of civil society, such as NGOs, policy advisors and dissidents to obtain their credentials. Recently, and at an alarming pace, they have increased their presence and activity.
These recent waves of attacks associated with COLDRIVER are different from the attacks they’re known for. This is a marked shift for the threat actor, which has, in the past, limited its operations to credential theft. This shift has sparked fears among cybersecurity experts and government agencies around the world.
Recent Developments in Malware Usage
COLDRIVER has been described as having a particularly extensive toolkit, with MALWARE families including NOROBOT and MAYBEROBOT. Zscaler’s ThreatLabz has been tracking these threats as BAITSWITCH and SIMPLEFIX, respectively. The organization has conducted multiple operations using this malware—with attacks being documented in January, March, and April 2025.
Recent waves of attacks have seen the deployment of an information-stealing malware called LOSTKEYS. Since then, later intrusions have expanded the “ROBOT” family with new COLDRIVER-related malware, suggesting an evolution in the COLDRIVER playbook.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
It all started in late May 2025, with researchers identifying a widespread new variant of malware known as YESROBOT. Yet, it was used only twice over a two-week span. This launch occurred shortly after the general public uncovered information about LOSTKEYS. This is indicative of how this hacker group displayed a calm, deliberate, and calculated response.
Suspects Linked to COLDRIVER’s Operations
Three 17-year-old men have been named suspects in connection with the cyberattacks. They were accused of having done work for the government of China. One of the alleged perpetrators is thought to have established links with one hacker group associated with the Kremlin.
The Netherlands’ Public Prosecution Service, or Openbaar Ministerie (OM), was the first to share this news widely. Two of the suspects were arrested on Sept 22, 2025. As for the third suspect, he is still under house arrest for his “minimal role” in the growing drama.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
Federal authorities have confirmed that there is no indication of pressure being exerted. This person had maintained prior relations with the hacking collective. This lack of external pressure or guidance may imply that the perpetrators were likely acting autonomously or as a result of little to no instruction.
The Implications of COLDRIVER’s Activities
The rapid growth of cyber threats due to COLDRIVER creates even greater dangers for individuals and businesses. As we’ve seen in other campaigns, they have since shifted tactics to evade detection. This strategic shift enables them to further their objectives of data theft and disruption.
As security experts often point out, the best defense against attacks is increased vigilance from those who may be targeted. Any organization that manages sensitive personal data or participates in the policy-making process must do more to safeguard their cybersecurity. This is of particular concern in light of recent happenings.
COLDRIVER is moving quickly in the sophistication of its malware and the conduct of its operations. Cybersecurity experts and law enforcement agencies need to collaborate intimately to combat this dynamic danger. Together, this partnership will improve their capability so they can better detect threats, manage risks, and defend against this ongoing and malicious cyber threat.