Yesterday, we published a new discovery revealing how the Russia-linked hacking group COLDRIVER has developed multiple new malware families. AI has allowed them to scale up their operational activities exponentially as well. After May 2025, COLDRIVER’s work will look a bit different. Its now connected to a range of attacks that depart from its usual MO of harvesting credentials from prominent people in NGOs, policy advisors and dissidents.
The progress of COLDRIVER’s malware indicates some kind of significant evolution in their tactics and goals. Cybersecurity experts have seen a marked feeling of “operations tempo,” a sure sign that activity from the threat actor has increased and is growing at an accelerated pace. The crew has been far ahead on malware—most famously with the ROBOT family. As for the newer YESROBOT and other variants such as NOROBOT and MAYBEROBOT, Zscaler ThreatLabz has been calling these BAITSWITCH and SIMPLEFIX.
Increased Operational Tempo
From May 2025, COLDRIVER constitutes a significant uptick in its unintentional hacking endeavors. This would not be the first time the notorious group has deployed information-stealing malware—known as LOSTKEYS. This malware was first seen in January, then again in March and April of this same year. The next, or third, wave of intrusions has allowed for the development of the ROBOT family of malware.
Experts also point out that NOROBOT and its previous infection chain have been in a state of an ever-evolving landscape. “Initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” commented a cybersecurity analyst with the alias Shields.
If successful, this change in strategy would represent a new direction for COLDRIVER. They appear to be experimenting with more advanced methods and broadening their targeting efforts beyond just classic victims.
Suspects Arrested in Connection with COLDRIVER
In a parallel story, law enforcement has arrested three 17-year-old male residents of the Netherlands as suspects. They stand charged with “conspiracy to provide services for the benefit of a foreign government.” One of these officials even allegedly reached out to a hacker group linked to the Russian government. This action might connect them to what COLDRIVER is doing.
On September 22, 2025, police arrested two of the suspects. The third suspect has been placed under house arrest due to his lesser involvement in the case. According to the Openbaar Ministerie (OM), the suspect provided guidance to the other two suspects. They mapped Wi-Fi networks over and over again in The Hague.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” reported a representative from the Dutch government body overseeing the investigation.
Shifting Target Demographics
In the past, COLDRIVER’s targets have included staff members of non-governmental organizations, policy advisors, and political dissidents. Recent attacks indicate a break with this variously construed modus operandi. The group’s rising operational tempo indicates a wider and deeper set of goals that likely go beyond credential theft.
According to Microsoft, the malware associated with COLDRIVER should alarm us all as to what this could mean for our nation’s cybersecurity, especially in critical sectors. The hacking group is always adapting its playing field and methodology. Businesses need to recalibrate their defenses in order to effectively protect against these highly sophisticated threats.