We’re experiencing a new surge of ransomware and malware. It’s spearheaded by the Russia-linked hacking collective COLDRIVER, which has existed since at least May 2025. These two families of malware, dubbed NOROBOT and MAYBEROBOT, are currently being monitored under the titles BAITSWITCH and SIMPLEFIX by Zscaler ThreatLabz. This news comes as the Netherlands’ Public Prosecution Service continues its investigation of three Dutch teenagers. They’re suspected of shilling out their hacking services to foreign governments, following a divergent and dangerous path that this group has taken since its inception.
The criminal hacking group COLDRIVER has all but become a household name for their innovative and nasty malware campaigns. Their actions have recently escalated, signaling a major upscaling of their efforts. Investigators zeroed in on three suspects, all 17 at the time. They found that one of the suspects had reportedly maintained contact with a hacker group with ties to the Russian government. With it comes the very real risk, one that’s previously made headlines, of digital espionage and cyber war.
COLDRIVER’s Evolving Malware Campaigns
Since the release of COLDRIVER in May 2025, COLDRIVER has created malware which has had multiple versions and updates. Together, the cohort ran impactful campaigns in January, March, and April of 2025. As part of these attacks, they used an information-stealing malware dubbed LOSTKEYS. Later intrusions resulted in the development of the malware family known as “ROBOT,” including variants like YESROBOT.
The rising popularity of these malware families marks a change in strategy. Wesley Shields from Zscaler ThreatLabz noted, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This new adaptation indicates that COLDRIVER is bettering its approach to make its malware more efficient and effective.
The deployment of YESROBOT has been puzzlingly sparse, with only two deployments as of late May 2025. The events occurred just weeks after the public disclosure of LOSTKEYS. This timing raises the question of a link between the two malware variants. The fact that deployment was required within a two-week window indicates the increase in operational tempo from COLDRIVER.
Investigation and Apprehension of Suspects
The Dutch OM is in the process of investigating the same three teenage suspects. These teens are thought to have worked in concert with COLDRIVER. Two of the suspects were arrested on September 22, 2025 with the third suspect currently under house arrest. Investigators are investigating the level of involvement of these individuals in COLDRIVER’s operations.
Additionally, the OM confirmed that one of the previous people of interest leaked details for payment. This new bit of information, though, makes the investigation even murkier. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” stated an official from the Openbaar Ministerie.
Despite these serious allegations, Dutch government authorities have stated that there are currently “no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This statement addresses longstanding worries about outside influences on the young men accused in this high profile case.
Implications for Cybersecurity
What COLDRIVER is doing presents important implications for global cybersecurity standards and practices. As malware continues to grow in sophistication and attackers continue to perfect their strategies, businesses and governments must be on constant high-alert. The rise of these new malware strains such as YESROBOT highlights an ongoing critical need for expanding and strengthening cybersecurity efforts.