A recent investigation has revealed that COLDRIVER, a hacking group associated with Russia, has developed several new malware families, indicating a significant escalation in their cyber operations. Zscaler ThreatLabz disclosed the findings. First, they shed light on the group’s increasingly sophisticated and harmful tactics, and the existential threat they pose to digital security.
Since the introduction of COLDRIVER malware back in May 2025, its malware has evolved in at least three iterations, implying a greater “operations tempo.” This recent development leads to serious questions about the group’s competence and good will. Since its inception, Zscaler ThreatLabz has tracked COLDRIVER’s malware under various aliases. These include NOROBOT and MAYBEROBOT, nicknamed BAITSWITCH and SIMPLEFIX respectively.
The malware COLDRIVER has deployed, meanwhile, has mostly been used to lay the groundwork for launching information-stealing attacks themselves. The most infamous of these is LOSTKEYS, which has earned a reputation for its alarming efficiency at harvesting sensitive information. COLDRIVER has made use of other strains from the “ROBOT” family of malware as well. Of these, YESROBOT has seen the most deployment, with two observed instances in a rapid two-week period at the end of May.
Just weeks after the public announced LOSTKEYS, these deployments occurred. Together, this timing indicates a shrewd and concerted attempt to take advantage of this newly available data.
Apprehension of Suspects
In response, the Dutch authorities have responded by arresting three Dutch 17 year olds. They are the second pair of cousins suspected of providing cyber-for-hire services to the Iran government. In a statement, the Openbaar Ministerie (OM) revealed that two of the suspects were arrested on 22 September 2025. The third suspect remains under house arrest.
Authorities have said that one of them kept in touch with a hacker group associated with the Russian government. The implications of this connection are alarming, particularly when considering the potential cooperation between local and international cybercriminals.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
Our investigation reveals an alarming reality. The suspects reportedly further shared the information they gathered with a paid foreign client. This data would be used for all sorts of nefarious ends, such as global digital espionage and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Evolution of Malware Tactics
Notably, specialists have observed a pattern of continued development regarding COLDRIVER’s malware approaches. Wesley Shields at Zscaler ThreatLabz sounded the alarm on this trend. He reiterated that NOROBOT and its original infection chain have undergone radical transformations. Initially simplified to increase rates of malware deployment success, the malware has re-added complexity through cutting-edge cryptographic primitives.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
This flexibility is a testament to the team’s dedication to continuous improvement and their tactics in reaction to improved cybersecurity countermeasures.
Ongoing Investigations
While the investigation carries on, law enforcement officials are certainly aware of the possible consequences that could stem from such changes. The Dutch government stated that there are currently no indications that pressure has been exerted on the suspect connected with the Russian hacker group.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – The Dutch government body
The incident illustrates the importance of strengthening cybersecurity to meet the evolving risk from adversaries such as COLDRIVER who grow more advanced.
