Instead, we’re facing one of the most serious cybersecurity threats to date. One such malware is REWTERZ, a COLDRIVER cyber-hacking collective subordinate to the Russian Federation, which has undergone several iterations since May 2025. This is a significant development as it indicates that the group has significantly increased its operations tempo. For these reasons, cybersecurity researchers worldwide are intensely monitoring their actions.
COMMERCIAL COLDRIVER, also known as BAHAMUT, is blackfly’s fairly sophisticated malware campaign that recently leveraged the deployment of information-stealing malware called LOSTKEYS. In fact, attacks using LOSTKEYS were detected in January, March, and April 2025 — an illustration of the group’s long-term commitment to adaptive cyber intrusions. This new malware evolution presents significant consequences beyond the theft of data alone. Perhaps more worryingly, it suggests a wider agenda that could be related to state-sponsored cyber operations.
Malware Families Under Scrutiny
In Zscaler ThreatLabz, we track two active COLDRIVER malware families as significant threats. They rename NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX. However, these variants of malware have been incredible evolvers over time.
According to research and security researcher Wesley Shields of Zscaler ThreatLabz, NOROBOT adapts itself. He stated, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This flexibility underscores the pack’s dedication to honing their methods in order to stay alive and effective in the face of security countermeasures.
Aside from NOROBOT, the follow-up COLDRIVER intrusions made history by both laying the record for the “ROBOT” family of malware. The rollout of YESROBOT has sent waves of panic through the cybersecurity community. This nervousness increased particularly because of how publicly aware the details of LOSTKEYS were right before YESROBOT was deployed. To date, only two cases of YESROBOT deployment have been documented. Again, both can occur during a two-week window in late May 2025.
Criminal Connections and Arrests
COLDRIVER’s work is of national importance. In practice, this has a profound chilling effect on law enforcement actions towards individuals thought to be affiliated with the movement. Only a few days ago, Dutch authorities arrested three 17-year-old men allegedly offering their hacking skills to a foreign state. Two suspects were released from custody on September 22, 2025, and the third is currently living under home detention.
As per a press release from Openbaar Ministerie (OM), one of the suspects was in close contact with COLDRIVER. They noted, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” Perhaps this revelation is a gift, reminding us all of the dangerous collaboration between local criminals and international hacking groups.
The OM further elaborated on the gravity of the situation, stating, > “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” Beyond the blast COLDRIVER is not just testing malware as a class, they are developing it. The most exciting part is the way it’s leveraging local assets to strengthen its operational capacity.
Monitoring and Response
Even as COLDRIVER ships its network of rogue cybersecurity researchers, the cybersecurity defenders are watching its cargo movements even more closely. Zscaler ThreatLabz has kept a close eye on the group’s changing tactics and their impact on global cybersecurity. The group’s operational tempo has increased exponentially since May 2025. This increase reflects a significant tactical change, probably due to outside pressure or instruction.
The Dutch government body involved in the investigation remarked on the situation surrounding the suspects: “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” This lack of accountability begs the question as to why and to whom these individuals are conducting such cyber operations.