Today, researchers at Zscaler ThreatLabz announced a breakthrough improvement not only in cybersecurity. Importantly, they have identified three new families of malware confidently attributed to the Russian state hacking group COLDRIVER. First, this is the group of criminals best equipped to carry out advanced attacks. Their chief targets are high-profile members of NGOs, policy think-tank advisors and activists, and dissidents. COLDRIVER has just recently kicked off a new wave of attacks. This new advent of malware suggests a change from their normal operational procedures.
The COLDRIVER malware has had many versions since its initial public appearance in May 2025. Among its recent innovations are NOROBOT and MAYBEROBOT, two inventions that researchers have recently dubbed BAITSWITCH and SIMPLEFIX, respectively. In addition to the issues above, a new malware deployment called YESROBOT has been sighted in the past few weeks, with just two total cases detected so far. COLDRIVER is changing the face of cyber warfare. We saw clear examples of these changes during a two-week span in late May 2025.
Shift in Operational Tactics
In the past, COLDRIVER has primarily concentrated on credential theft from high-value targets. Yet, the recent attacks are a significant break from this modus operandi. In January, March, and April of 2025, the group released an efficient information-stealing malware referred to as LOSTKEYS. This was the first time this malware drew eyes for what it could do.
This shift in approach shows that COLDRIVER may be expanding its vision. Second, it might simply be adapting to stay ahead of the tactics employed by cybersecurity professionals. Researchers have noted that subsequent intrusions have laid the groundwork for the so-called “ROBOT” family of malware, revealing a potential evolution in their attack methodologies.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
COLDRIVER’s malware is constantly changing. This change is indicative of a larger change in focus and shows a more pragmatic and refined understanding of cyber security defenses.
Legal Developments Surrounding the Suspects
The Netherlands’ Public Prosecution Service has led the way. They’ve arrested three suspects for providing intelligence services to a foreign government. On September 22 of 2025, federal authorities arrested two of these folks. The third person is out on house arrest today due to his minor role in the case. This arrest is only one part of a bigger investigation. Now, authorities are identifying possible connections between these young men and a notorious hacker group with ties to the Russian government.
Authorities also said that one of the suspects communicated personally with this hacker group. This cast doubt on how active and interactive the suspect actually was. The Dutch government body has stated:
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
This assume was the most active in broadcasting the details to the other two. Among their work, they concentrated their efforts on mapping Wi-Fi networks in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
These legal proceedings highlight the increasing alarm over the role that domestic actors play in facilitating international cybercrime.
Implications for Cybersecurity
The rise of these new malware families from COLDRIVER have big implications for malware prevention and mitigation efforts around the world. Cybersecurity threats Hackers are always updating their methods and broadening their focus. Organizations and individuals alike need to remain on ongoing guard against credential theft and other cyber risks.
The targeting of high-profile persons in NGOs or political spheres, further emphasizes the importance of strong cybersecurity practices. As COLDRIVER’s actions are revealed, agencies need to raise the overall level of security. In turn, they have to be able to defend against these highly advanced attacks.