That’s exactly where the Russian-linked hacking group COLDRIVER found itself, recently caught in a cyberattack tsunami of advanced proportions. Their targets range from prominent figures in non-governmental organizations (NGOs) to policy advisors to dissidents. The collective typically targets credential theft. Recent events have again shown the dangerous trend of their changing tactics and expanding malware arsenal.
Since May 2025, COLDRIVER has produced an impressive number of newcomer malware families. These include NOROBOT and MAYBEROBOT, the latter of which Zscaler ThreatLabz are currently tracking as BAITSWITCH and SIMPLEFIX, respectively. All of this has occurred alongside a dramatic increase in the quantity and complexity of their work. This shift is raising alarms among cybersecurity experts.
Recent Malware Developments
Between January, March and April of 2025, COLDRIVER TEDDY was responsible for a string of high-profile attacks. These attacks led to the use of an information-stealing malware named LOSTKEYS. The heightened operational tempo in the wake of the attacks indicates that COLDRIVER is rapidly evolving its tactics. This amendment would help to increase its potency in cyber espionage.
Wesley Shields, an influential cybersecurity analyst, noted the changing nature of COLDRIVER’s malware.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
After the introduction of LOSTKEYS, new intrusions didn’t take long to arrive. This paves the way for the birth of a new malware family named YESROBOT. We were lucky to see this specific deployment twice over a two-week period in late May 2025. This was just a few weeks after initial information about LOSTKEYS was released.
Arrests Linked to COLDRIVER Activities
In an unrelated but significant development, the Openbaar Ministerie (OM) in the Netherlands announced that three 17-year-old men are suspected of providing services to a foreign government, allegedly linked to COLDRIVER. Two of the suspects were finally captured by federal authorities on September 22, 2025. The third suspect, because of his relative lack of involvement, will serve under house arrest.
The OM finally disclosed that one of the suspects day-in-day-out instructed the other two persons to scan Wi-Fi networks in The Hague. They had to do this dozens of times.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
That trove of acquired data was apparently then resold to a paying customer. So to countless hackers and hostile governments, this transaction opens the door for serious espionage and cyberattacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Evolving Tactics and Future Implications
Today’s actions of COLDRIVER show this departure from their usual way of doing things. Their new wave of attacks indicates they are investing more resources towards developing more advanced malware. While this is a positive advance, it leaves their future plans and ability still in question.
The Dutch government intelligence agency responsible for national security states that there are “no indications” of such pressure being exerted on the suspect. This suspect had direct communications with an alleged hackers collective associated with the Russian state.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – The Dutch government body
Cybersecurity experts, in particular, have been watching the development of COLDRIVER with great interest. It is important for companies and individuals to remain vigilant to the new threats posed by this emerging cybercrime actor.