This month’s investigation has uncovered evidence that the Russia-linked hacking group COLDRIVER is continuing its activities. Known as TA405, they’ve matured recently into new malware families with several iterations already since May 2025. Cybersecurity researchers from Zscaler ThreatLabz have stumbled upon a shocking trend. So far, they have traced two malware families, NOROBOT and MAYBEROBOT, which they track by the names BAITSWITCH and SIMPLEFIX.
COLDRIVER has traditionally focused on high-value targets in NGOs, policy advisors, and dissidents for credential theft. Recent attacks show that there has been a fundamental change in their operational tactics.
Shifting Tactics and New Malware Developments
Just a few short weeks later, near the end of May 2025, we learned more about another new information-stealing malware named LOSTKEYS. Soon after that, we saw two examples of a new malware variant called YESROBOT within a two-week period. COLDRIVER is dynamic and changing in their tactics. The folks behind the long-running and prolific malware enterprise have recently expanded their repertoire to include the “ROBOT” family of malware, including YESROBOT, NOROBOT, and MAYBEROBOT.
Wesley Shields, a cybersecurity expert, commented on the evolution of NOROBOT, stating, “NOROBOT and its preceding infection chain have been subject to constant evolution—initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This continued evolution is a testament to the group’s dedication to deviating from their tactics to continue being effective in their cyber campaigns.
Arrests Linked to COLDRIVER’s Operations
Our neighbor to the north, the Netherlands’ Public Prosecution Service (Openbaar Ministerie), took an extraordinary step. They just caught up to two suspects who allegedly sold services to COLDRIVER. Three suspects—two girls and one boy, all 17 years old—are accused of links to a hacker collective. This group is known to be connected to the Russian state. The two arrests occurred on September 22, 2025, while the third suspect remains under house arrest due to his “limited role” in the activities.
The Openbaar Ministerie reported that this suspect “also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” This would suggest a good faith effort to go further and enable additional cyber operations in service of COLDRIVER.
The Dutch government body provided further insight into the investigation, noting that “there are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This legal premise regressively mirrors the underlying oversight that still surrounds the suspects’ ties to foreign governments and their engagement in cyber warfare as a whole.
Implications for Cybersecurity and International Relations
These trends are larger than any one specific cyber attack. They provoke widespread fear mongering over digital stealth terrorism and world order chaos. The Openbaar Ministerie highlighted that “the information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This raises national security risks as even the most benign activities can inadvertently put sensitive information and national security interests at risk.
Cybersecurity analysts are now on constant alert as COLDRIVER’s malware has since been used in attacks in January, March, and April 2025. With the constant evolution of their tools and methods, these incidents emphasize the need for robust cybersecurity measures across various sectors.