One recent investigation has revealed the use of three new malware families associated with the Russian-linked hacking group COLDRIVER. The overwhelming concern this reveals is a huge step in the sophistication of their attack methods. Since May 2025, they’ve dramatically increased their activity. Zscaler ThreatLabz is currently monitoring the NOROBOT and MAYBEROBOT malware families. They call these threats BAITSWITCH and SIMPLEFIX, respectively.
COLDRIVER has garnered attention for its targeted operations against high-profile individuals, particularly within non-governmental organizations (NGOs), policy advisors, and dissidents. These attacks typically aim for credential theft. The newest waves of attacks mark a distinct departure from their typical modus operandi. This seemingly simple change is cause for alarm, given the potential impacts on cybersecurity.
Recent Developments in Malware Deployment
The malware created by COLDRIVER has existed in multiple forms since May 2025. This rapid change reflects a much quicker operational pace. Not surprisingly, some experts think this shift will increase the effectiveness of the group in terms of cyber espionage. In January, March, and April of 2025, we were witnessing attacks deploying an information-stealing malware dubbed LOSTKEYS. Each of these events caused alarm for many dangerous cybersecurity threats.
In late May 2025, the public got their first glimpse of LOSTKEYS. Soon after, we counted two examples of YESROBOT deployment in a span of just two weeks. All of these developments further demonstrate that COLDRIVER is a program with real, market-driven momentum. They’re retooling their approaches to improve their odds of success, too.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Wesley Shields, an expert in cybersecurity, described the evolution of NOROBOT as a “collection of related malware families connected via a delivery chain.” This relationship between different variants of malware makes for more advanced attacks and more possible destruction.
Arrests Linked to COLDRIVER Activities
On September 22, Dutch authorities arrested two 17-year-old suspects involved in COLDRIVER’s deployment. The Netherlands’ Public Prosecution Service Openbaar Ministerie, OM hereafter has taken a daring step in declaring that … They believe that these people provided services under the direction of a foreign government. One suspect is accused of continuing communication with a hacker division connected to the Russian government.
Police say the third suspect is under house arrest because of his “limited role” in the alleged operation. The OM revealed that these three people contributed to an environment that fosters digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
The OM reported that one of the suspects continuously instructed the others to survey Wi-Fi networks. Such activities like this were repeated on several days in The Hague. This aspect highlights the operational capabilities of the suspects and their possible links to larger cyber espionage campaigns.
Implications for Cybersecurity
The rise of these new malware families is not a passing fad, but a serious risk to cybersecurity practitioners and businesses across the globe. COLDRIVER’s change in approach, if true, is an encouraging sign that the group is making a strategic shift to widen their reach and increase their effectiveness. As their malware constantly grows more sophisticated, so too must organizations soldiering on into the breach stay diligent and offensive with their defenses.
The participation of such young suspects further highlights how recruitment and training practices in these hacking groups merit scrutiny. Feds are increasing efforts to surveil and disrupt these networks. Their goal is to lower the dangers associated with state-sponsored malicious cyber action.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – Dutch government body