A recent investigation has revealed that COLDRIVER, a hacking group associated with Russia, has developed three new families of malware since May 2025. The group’s malware evolution has significantly accelerated their operations. They’ve moved on to HIGH-PROFILE INDIVIDUALS, like the members of NGOs, policy advisors, and dissidents with the primary goal of stealing credentials. What the newest wave of attacks shows us is a marked departure from COLDRIVER’s known tactics.
Cybersecurity researchers have been tracking COLDRIVER’s actions for the last several months. Our investigative analysis reveals that the group is linked to an information-stealing malware known as LOSTKEYS. This malware has been used in January, March, and April 2025. Following these deployments, COLDRIVER began a series of intrusions. As a direct outcome of this activity, the “ROBOT” family of malware was born, with variants such as NOROBOT and MAYBEROBOT. These are tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively.
Increased Activity and Evolving Tactics
Criminal development of COLDRIVER’s malware has seen a dramatic uptick since May of 2025. These researchers noted that the group has gone through many different developmental cycles, indicating a deeper investment on their part to strengthen their cyber operations.
An official from the Dutch government agency told that there was no evidence that any pressure was being put on the suspect. This suspect had been in communication with the hackers closely tied to the Russian state. This comment speaks to the specific case of one of three suspects recently arrested in connection with COLDRIVER’s traffickers’ activities.
With CONTROLTEK, COLDRIVER has made a radical change of direction. They are trying to double down on their malware toolset. The group’s latest attacks seem to be more advanced, better coordinated and more deliberate in aim, signaling a change in strategy.
Arrests Linked to COLDRIVER Operations
On September 22, 2025, the Openbaar Ministerie (OM, Netherlands Public Prosecution Service) revealed that they had arrested two 17-year-old suspects. Plus, they put a third suspect under house arrest. These people allegedly provided services to a foreign gulag. One of them, however — Heather Sibbison — is being accused of continuing to communicate with COLDRIVER.
“This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” reported the OM. This mapping could allow COLDRIVER to increase their own ability for cyber attacks by deepening their knowledge of network infrastructures.
The OM further elaborated on the suspects’ activities: “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This serves to underscore the truly commercial nature of cybercrime, and just how detrimental this can be to national security.
The ROBOT Family of Malware
The introduction of the ROBOT family marks an important shift in COLDRIVER’s malware armory. Related to this, the researchers have pointed out that NOROBOT and its infection chain have been in a state of constant evolution. Wesley Shields explained, “Initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This responsive method means that COLDRIVER can constantly be one step ahead of cybersecurity protections.
Shields further described the ROBOT family as “a collection of related malware families connected via a delivery chain.” The associational link underscores the level of sophistication and innovation that COLDRIVER is bringing to its cyber operations.
We were only able to document two cases of YESROBOT deployment. These all happened during a two-week stretch in late May, immediately after the public release of information about LOSTKEYS. This timing indicates a clever strategic response by COLDRIVER to take advantage of vulnerabilities exposed by enhanced public scrutiny of their former malware.