One recently discovered Russian hacking group, COLDRIVER, has been particularly successful. Since May 2025, they’ve created eight new malware families, revealing major shifts and trends in their attacks. Cybersecurity researchers at Zscaler ThreatLabz have named at least four new malware variants to this group—BAITSWITCH, SIMPLEFIX, NOROBOT, and MAYBEROBOT. The growing “operations tempo” of COLDRIVER is indicative of a marked level of activity and sophistication in their cyber operation.
As previously observed in COLDRIVER’s malware campaign, there is a very apparent evolution of tactics and technology even within the same campaign. The collective’s cyber activity is linked to an information-stealing malware dubbed LOSTKEYS. This malware has been deployed against attacks occurring as recently as January, March, and April of this year (2025). Towards the end of May, we tracked the rollout of YESROBOT clone on two different days. All of this happened within the span of a two-week blitz. This dramatic increase in activity has many in the cybersecurity community worried about what this means for the group’s capability to conduct future attacks.
Increased Activity and Development
From its debut, COLDRIVER’s malware has undergone several iterations, indicating a heightened operational tempo. Wesley Shields, a prominent cybersecurity expert, noted that “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
The “ROBOT” family of malware has been deployed in later COLDRIVER intrusions. The current campaign is a long-term, continuing hostile action. At the same time, it shines a damning light on the increasing sophistication and harmfulness of cyber attacks. The ability to innovate and adapt has placed COLDRIVER at the forefront of malicious cyber activity linked to state-sponsored threats.
“A collection of related malware families connected via a delivery chain,” – Wesley Shields
These malware families continue to be researched around the globe. What’s even more exciting, they’ve seen their continued development reflect broader patterns happening in cyber warfare tactics being used by nation-state actors. This rapid evolution highlights the need for proactive monitoring and a shift to an adaptive cybersecurity defense strategy.
Legal Actions and Investigations
Here’s how the Netherlands’ Public Prosecution Service (Openbaar Ministerie or OM) is responding. To counteract the COLDRIVER’s activities, they’ve opened up an investigation into three 17-year-old suspects for supposedly rendering services to a foreign government. Under one charge, one of the suspects is claimed to have been in touch with a hacker organization connected to the Russian government.
On September 22, 2025, Dutch authorities arrested two of the suspects, while putting a third under house arrest. The OM stated that “the information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
The investigation highlights the connection between local youth and sophisticated cyber threats, raising concerns about recruitment and involvement in international cybercrime.
Implications for Cybersecurity
As such, the emergence of COLDRIVER and its related malware families underscore the ever-growing need for strong cybersecurity practices. As attacks continue to grow in sophistication, organizations must be prepared to stay one step ahead of the attackers’ latest threats. CIS Build Kits are a vital part of COLDRIVER’s work. This relationship serves to illustrate the growing multifaceted nature of today’s cyber threats.
Intelligence sharing and collaboration across borders, which cybersecurity experts say is essential in order to effectively fight threats like these, will help make that a reality. Recent news around COLDRIVER serves as a reminder that the cyber battlefield is continuously evolving. This new reality requires ongoing accountability from government and private sector entities alike.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
