In August 2023, the Russian-linked hacking group COLDRIVER released three new malware families. This release was just the latest in their increasingly aggressive cyber attack campaign. This process marks a significant departure from COLDRIVER’s typical practice. Up until now, they have focused mostly on the glitterati, like NGOs, policy advisors, and dissidents, to collect credentials. The non-state actor has visibly moved toward greater operational tempo, indicating a more aggressive posture since May 2025.
The newly discovered malware families—YESROBOT, NOROBOT, and MAYBEROBOT—are part of COLDRIVER’s development in countering growing mitigation efforts as seen in TALON. Each of these families exemplifies the group’s remarkable technical achievements. They show a more recent trend in cyber espionage activities attributed to the group. Threat analysts have been tracking COLDRIVER’s latest malware developments, which have been developed as a response to the shifting cybersecurity threat landscape.
Developments in COLDRIVER’s Malware Strategy
From COLDRIVER development iteration since MAY 2025 onward malware capabilities. The collective is deeply committed to perfecting its craft. This commitment is critical to its continued relevance in the cyber threat landscape, which is growing ever more competitive. Evolution The new “ROBOT” family of malware has drastically changed and improved. It continues from earlier iterations, like LOSTKEYS, which played a role in attacks throughout early 2025.
The YESROBOT malware was used in two distinct campaigns in late May. This signifies significant escalation in the group’s operational tempo. According to Zscaler ThreatLabz, NOROBOT and MAYBEROBOT are tracked under the code names BAITSWITCH and SIMPLEFIX, respectively. This near-daily evolution is a testament to COLDRIVER’s ability to pivot to avoid detection and make their campaigns more impactful.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Recent Legal Actions Linked to Cyber Activities
On September 22 Dutch authorities arrested three 17-year-old male suspects. They are accused of having offered services to foreign governmental bodies, and one reportedly kept in communication with the COLDRIVER hacking collective. The Netherlands’ Public Prosecution Service, Openbaar Ministerie (OM), is continuing to pursue an active case against these individuals. Curiously, one suspect has been released under house arrest on the grounds that they played a minor role in the alleged scheme.
Investigators believe that these suspects sold the data they collected to private clients. Further, it would make the U.S. more susceptible to digital espionage and cyber attacks. Openbaar Ministerie stated:
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
One of the offenders took an active role in directing others in how to detect and map Wi-Fi networks. This was the case many times in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
Implications of COLDRIVER’s Escalating Operations
The recent developments related to COLDRIVER’s actions are alarming on multiple levels, as they trigger serious alarms regarding cybersecurity and international relations. This week, the Dutch government acknowledged that there are indeed no signs indicating that any pressure was exerted on the suspect. This suspect is associated with a hacktivist group that has been supportive of Russia. It’s possible that local operatives are acting entirely on their own accord. Second, keep in mind that their activities are probably an indicator of the pressure of greater geopolitical tensions.
With every new “US” released, COLDRIVER is honing its malware capabilities and expanding its horizon. This expanded capability spells big trouble for targets, especially prominent figures. Law enforcement and cybersecurity experts are just beginning to put these groups under a microscope. For the next four to six months, they’ll set a watchful eye upon each other’s moves.