Hacking group COLDRIVER, with ties to the Russian government, is responsible for a new wave of malware. This malware has advanced dramatically since May 2025. This malware reflects a higher operational tempo, a sign of the threat actor’s growing activity. Recent research reports out by Zscaler ThreatLabz have shown that COLDRIVER’s malware is known by a few different names. These include NOROBOT, MAYBEROBOT, BAITSWITCH and SIMPLEFIX, to name just a few.
Incredibly, counterproductive and disturbing developments are afoot in the Netherlands. Law enforcement agencies have arrested three 17-year-olds for allegedly offering their services to a foreign government, just as these two malware families were taking shape. This announcement further highlights the increasing alarm over cyber threats coming from Russia-affiliated groups.
COLDRIVER’s Evolving Malware
Even through its relatively short period of active operations that started in earnest in May of 2025, COLDRIVER has shown a proven record of adaptability and innovation. The malware that has been attributed to this group has gone through several iterations, showcasing an evolutionary tactic meant to increase its utility. Among the interesting clans discovered is YESROBOT, which has only been seen twice to date.
The first instances of YESROBOT deployment occurred during a two-week window at the end of May 2025, shortly after the details of LOSTKEYS—another form of information-stealing malware—became public. LOSTKEYS first launched in January, March, and April of that year. These initial incursions paved the way for subsequent malware campaigns, including ones associated with the “ROBOT” family.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
This quote by one of COLDRIVER’S engineers illustrates how fast adapting the malware is and that the battle is still ongoing in forcing COLDRIVER to hone its tactics further.
Arrests in the Netherlands
In conjunction with revelations about COLDRIVER’s activities, the Netherlands’ Public Prosecution Service (Openbaar Ministerie or OM) announced that three teenagers are under investigation for allegedly providing services to a foreign government. As one of these suspects is said to have links to a hacker group affiliated with Russia, this is especially newsworthy.
On September 22, 2025, law enforcement arrested two of the offenders. Only the third suspect is under house arrest, because the extent of his role in the supposedly criminal acts was minimal. The OM highlighted that there is no evidence as of now that pressure is being put on the suspect. This person had extended interactions with the Russian collective.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body.
Second, it brings into focus the domestic security concern of EU cyber operations that could reflect foreign influence.
Implications for Cybersecurity
The recent breakthrough against COLDRIVER’s malware campaigns serves as a reminder that the persistent threat from advanced, persistent cyber actors continue to be with us. The data collected as a result of these campaigns is incredibly dangerous. Instead, it can turn into a blunt weapon by experiencing digital espionage, planting malware to extend to global cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – OM.
Cybersecurity experts would caution you that threats are constantly changing. They encourage all organizations to remain on their toes and take proactive measures to defend against these sophisticated persistent threats. The malware being developed by groups such as COLDRIVER is increasingly sophisticated and dynamic. This example underscores the dire need for improved cybersecurity collaboration between government and industry.