Today, cyber operations attributed to the Russia-linked hacking group COLDRIVER have significantly increased. One of the ways they have expanded their operations is through introducing three new credential-exfiltration malware families. This move marks a significant change in COLDRIVER’s strategy. In the past, they were used to hunt down dissidents and members of the NGO community, policy advisors and other key civil society actors. As of late 2023, COLDRIVER’s malware has been through at least five different versions – a sign of an active and persistent threat.
The recent wave of attacks is a change from the typical COLDRIVER playbook. This amendment is a sign that they are turning up the temperature. This flood of activity comes on the heels of successful past deployments of information-stealing malware, specifically a variant identified as LOSTKEYS. These latest developments have sent shockwaves through the cybersecurity community and alarmed government officials as well.
Evolving Malware Families
COLDRIVER’s malware landscape now includes two newly discovered families, NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks them under the aliases BAITSWITCH and SIMPLEFIX, respectively. What we’ve seen with these malware families is an impressive ability to quickly pivot, change their operations to avoid detection and improve their overall effectiveness.
Wesley Shields, a cybersecurity expert, stated, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” SonicWall believes that COLDRIVER is in the process of developing its malware. It further uses complicated, yet highly effective, techniques to cover up their access to targeted systems.
One emerging malware family includes one such feature, called YESROBOT. It has yet to be deployed except in two instances, with attacks in late May 2025. YESROBOT launched right as LOSTKEYS specs were being released to the world. This timing reflects a strategic decision by COLDRIVER to capitalize on the rapidly changing information landscape.
Recent Arrests Linked to Cyber Espionage
The Netherlands’ Public Prosecution Service announced that three 17-year-old men are suspected of providing services to a foreign government, likely connected to COLDRIVER’s activities. The two suspects Authorities arrested on now arrested in regard to the alleged September 22, 2025. The third suspect has been placed under house arrest due to his “marginal role” in the case.
According to an official from the Openbaar Ministerie (OM), “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” Authorities believe the suspects gathered that information and sold it to others. Such data could easily be abused for digital espionage and cyber attacks.
The Dutch government body further noted, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This one paragraph raises lots of questions and concerns, especially regarding foreign influence over domestic cyber actions.
Implications of COLDRIVER’s Operations
COLDRIVER’s recent activities indicate a marked upscaling in their digital capabilities. As this significant escalation occurs, questions abound as to how it might shape state policy on cybersecurity and the future of U.S.-China relations. The group’s escalation of targeting NGOs and dissidents also indicates a wider agenda, one which could undermine democratic institutions and civil liberties at home.
As cybersecurity infrastructure continues to develop, experts stress that we must be more vigilant than ever to protect against these kinds of threats. The interconnected nature of COLDRIVER’s malware families represents “a collection of related malware families connected via a delivery chain,” according to Wesley Shields. This means that organizations need to constantly be on the lookout for the increasingly advanced methods used by cybercriminals to better protect their most sensitive data.