Google’s cybersecurity division TAG has discovered three new malware families attributed to the infamous Russian hacking group tied to COLDRIVER. The alliance—which has been organizing since May 2025—is continually sharpening its tactics and tools. They are at least trying however, to extend their tentacles to the likes of high-profile individuals as well, such as those with links to non-governmental organizations (NGOs), policy advisors and even dissidents.
Zscaler ThreatLabz has observed the emergence of two new malware families, NOROBOT and MAYBEROBOT. They’ve subsequently coded them BAITSWITCH and SIMPLEFIX, respectively. In January 2025, COLDRIVER deployed an information-stealing malware named LOSTKEYS. This decision underscores their continued deprioritization of credential theft as a real pillar of their operational strategy.
COLDRIVER’s Evolution and Tactics
As it was created, COLDRIVER has seen many developmental modifications to maximize its hacking potential. The group traditionally goes after high-value targets as part of a spear-phishing style attack to harvest their credentials. To do so, they’re employing advanced malware to penetrate their digital ecosystems.
According to Wesley Shields, a cybersecurity expert with Zscaler ThreatLabz, NOROBOT is evolutionary in nature.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
COLDRIVER is always training new adversarial approaches to evade detection systems. This commitment keeps their intelligence collection sharp against high-profile targets.
Over the past few months, COLDRIVER’s operations have made a sudden and profound 180-degree turn. With the introduction of the “ROBOT” family of malware, including YESROBOT, the group has started moving away from their typical modus operandi. The YESROBOT has been deployed in two such instances so far, over a two-week deployment in late May 2025. This latest deployment may point to a change in the group’s strategy.
Ongoing Investigations and Arrests
The Netherlands’ Public Prosecution Service has since released its intent to investigate three 17-year-old suspects. They are alleged to have willfully offered or sold services to a foreign government in relation to COLDRIVER’s operations. Of these, one of these suspects was allegedly arrested due to his contact with a hacker group directly tied to the Russian government.
By September 22, 2025, police arrested two of the other suspects. The third defendant is still under house arrest because of what officials called a “minor role” in the case.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
Authorities have indicated that the information gathered by the suspects was sold to clients for potential use in digital espionage and cyberattacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – Openbaar Ministerie (OM).
Our criminal investigations and arrests are still ongoing. So far, there has been no indication that anybody leaned hard on the Russian-affiliated suspect who allegedly carried out SolarWinds.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body.
Implications for Cybersecurity
The story behind COLDRIVER is just one example of a shifting battlefield when it comes to the cybersecurity threats we face. New malware families are deeply sophisticated. This trend underscores the critical imperative for most organizations — particularly nonprofits and government entities — to reinforce their cybersecurity perimeters to protect against credential harvesting and hackers from foreign adversaries.
Hacking operations are able to collect this type of sensitive information. This sets the stage for significant privacy and security violations impacting both companies and individual Americans. As authorities continue their investigations and cybersecurity firms adapt to these emerging threats, the ongoing evolution of groups like COLDRIVER will likely pose challenges for digital security practitioners.