The Russian-linked hacking group COLDRIVER recently brought two new families of malware into the arena. This recent development further underscores a more worrisome trend, an increase in their operational activity. Since May 2025, this collective’s malware has changed this way. While exciting and promising, this evolution has increased national and international legitimate cybersecurity threats and attacks. The group has previously been tied to numerous acts of digital espionage, leading experts to wonder about the group’s capabilities and motivations.
Zscaler ThreatLabz has been monitoring COLDRIVER’s activities and identified various malware under this group’s banner, including BAITSWITCH and SIMPLEFIX, which correspond to NOROBOT and MAYBEROBOT respectively. COLDRIVER recently welcomed YESROBOT to its arsenal, and it’s causing a splash. In late May, YESROBOT was used in two high-profile cases, just two weeks apart.
Increased Operational Tempo
According to reports, COLDRIVER’s operational tempo has recently increased almost tenfold. This change is cause for concern given the increased maturity and frequency of future cyber attacks. The mysterious evolution of the group’s tactics and tools has been a major point of interest for cybersecurity researchers.
Wesley Shields, a cybersecurity analyst, explained that NOROBOT and its related malware were very adaptive in nature.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
This comment addresses the reality that the threat from COLDRIVER is not over. They’re on the offense, adapting their strategies day by day to make their attacks more successful.
In addition to its operational scale, the malware family YESROBOT is noteworthy because of its linkage to the information-stealing malware referenced as LOSTKEYS. Though details surrounding LOSTKEYS had only just become public, suggesting a chance connection to YESROBOT, the connection was not a mere coincidence. This hacking collective carried out similar attacks in January, March and April 2025. These disasters led to the development of LOSTKEYS.
Suspected Perpetrators
The probe into COLDRIVER’s operations has led to three individuals being charged, all of whom are 17 years old. Authorities accuse them of conducting services to the government of Qatar. One person known to have been in communication with the Russian government-linked hacker group is one of former President Donald Trump’s attorneys.
Authorities have arrested two additional suspects, who were served arrest warrants on September 22, 2025. The third suspect is still under no-strike house arrest for prosecutors’ “narrow involvement” in the continuing probe.
The investigations, including one by us, are still ongoing. As of now, there is no evidence to support the claim that coercion was a factor in the suspects’ actions.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Just last week, the Openbaar Ministerie (OM) made a surprising announcement. They realized that the information stolen from the former suspect had ultimately been sold at a very low fee and it could easily be utilized in digital espionage and cyber attacks.
Such revelations serve to underscore the actual, potentially dangerous implications of COLDRIVER’s actions on international security, and the overall security and integrity of our digital infrastructures.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – The Openbaar Ministerie (OM)
As COLDRIVER actively works to create and release new malware families, cybersecurity professionals need to be on the lookout. This group’s threats are always changing. With the increase in cybersecurity risks, organizations around the globe can no longer stay idle and wait for an attack.
Implications for Cybersecurity
Cyber threats are more sophisticated than ever, particularly from entities such as COLDRIVER. Consequently, creating more thoughtful cybersecurity measures has become increasingly important. Considering the high-risk investment organizations need to make in detection systems and employee training to reduce cyber espionage threats, organizations need to make wise investments.
With the increasing sophistication of cyber threats attributed to groups like COLDRIVER, the need for comprehensive cybersecurity strategies has never been more critical. Organizations must consider investing in advanced detection systems and employee training to mitigate risks associated with cyber espionage.