Today, a Russia-linked hacking group known as COLDRIVER has reemerged with a new family of malware. This advancement further underscores their growing aspirations and increasing operational tempo since May 2025. The group often focuses on high-profile people such as NGO employees, policy advisors, and dissidents in order to harvest credentials. This year, though, they’ve begun to play a very different game. Cybersecurity researchers and law enforcement officials, including the Netherlands’ Public Prosecution Service (OM), have been paying very close attention to these developments.
Based in part on our analysis of COLDRIVER, a variant of YESROBOT with very limited deployment has been linked to a roll of malware variants. This new malware only caught that small of a fraction in two cases — specifically during a focused two-week spate between May 27 to June 11, 2025. The small-but-mighty crew not only collaborates directly with YESROBOT, but maintains a number of other malware families as well. These are NOROBOT and MAYBEROBOT, which are tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX.
Evolving Malware Landscape
The malware landscape tied to COLDRIVER has changed considerably since the beginning of 2025. We first witnessed the group at work back in January, March and April of that same year. This was days before the malware LOSTKEYS — an information-stealing malware variant — became public.
Wesley Shields, a cybersecurity expert, stated, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This shows COLDRIVER’s shift in strategy, one that is clearly becoming more focused on advanced attacks.
This recent wave of malware attacks is a departure from COLDRIVER’s typical modus operandi. Interestingly, the deployment of YESROBOT first started just a few months after the information about LOSTKEYS was made public. This scheduling reflects a carefully considered approach by COLDRIVER to better use the smarts gained from early runs on the circuit.
Targeting High-Profile Individuals
COLDRIVER’s usual quarry are the ‘big fish’ — prominent people working in NGOs, the policy-making circuits. The group’s activities should alarm anyone worried about the scourge of digital spying and cyber intrusions against sensitive targets.
Disseminated widely, the OM served to portray the group’s operational reach. They announced the arrest of three 17-year-old suspects in connection with providing services beneficial to a foreign government. Collateral Consequences Two of these suspects are now under arrest as of September 22, 2025 and the third is still sentenced to arrest at home.
“This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” stated the OM. This shortcoming highlights how COLDRIVER’s chosen activities can endanger U.S. national security.
It indicates that these suspects have been selling the information they gathered to outside clients for a profit. This has opened the door for more cyberattacks and cyberespionage. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” added the OM.
Increased Operational Tempo
Since May 2025, COLDRIVER has become much faster and the experiments have really progressed. The group’s many developmental iterations of malware suggest an early warning sign of the group’s rapid growth of its capabilities.
Cybersecurity experts were quick to note that COLDRIVER’s recent campaigns exhibited exceptional creativity. These operations are a testament to a remarkable flexibility and responsiveness to new threats. The group’s use and connection to state-sponsored hacking has sounded alarm bells across the cybersecurity community.
According to a representative from one Dutch government agency, at this time there is no indication that any pressure was exerted on the suspect. This suspect was in contact with a hacker group known to have ties to the Russian government. This declaration captures very well the spirit of ongoing investigations into COLDRIVER’s criminal associations and pipeline transportation tactics.
