Cybersecurity experts have shared recent noteworthy news related to the Russia-linked hacking group COLDRIVER. This group is perhaps best known for their single-minded pursuit of powerful persons. Since April 2023, their activity has increased dramatically and dangerously, zeroing in especially on NGOs, independent policy advisors, and political dissidents. Seven new malware families have been identified just in the past three weeks, alarming cybersecurity researchers about their changing techniques. These shifts might be profound for digital security.
COLDRIVER’s modus operandi has focused on credential theft, utilizing various tradecraft talents to infiltrate their victims’ sensitive data. As documented in our recent reports, these changes may signal a new evolution in malware variants the group has created, indicating a shift from their previously established tactics. Through their work with COLDRIVER, researchers have found two new families of malware attributed to COLDRIVER. They designated these families NOROBOT and MAYBEROBOT, which Zscaler ThreatLabz monitors as BAITSWITCH and SIMPLEFIX, respectively.
Evolution of COLDRIVER’s Malware Campaigns
Since at least May 2025, COLDRIVER has been involved in releasing malware campaigns that have seen several waves. Previous iterations featured LOSTKEYS, an information-stealing malware used in attacks seen in January 2025, March 2025, and April 2025. Following this, YESROBOT emerged, deployed in two instances over a two-week period in late May 2025, shortly after details regarding LOSTKEYS became public knowledge.
Wesley Shields, who leads the development of NOROBOT as a cybersecurity education tool, described how NOROBOT has changed over the years. He articulated that the system initially started with a simple design to improve chances of deployment success, then made it much more complex by dividing encryption keys. This indicates that COLDRIVER is evolving its tactics to avoid detection by cybersecurity defenses.
These malware families are representative of a larger pattern in COLDRIVER’s activity. The coalition has launched BAITSWITCH and SIMPLEFIX to augment turns work. It reflects their intent to carry out cyber operations with increased effectiveness.
Arrests Linked to COLDRIVER’s Activities
On September 22, 2025, police in the Netherlands detain three 17-year-old males. They are believed to have provided intelligence collection and surveillance services on behalf of a foreign government. In this case, one of these suspects is suspected to have kept communications with a hacking group linked to the Russian state government. The Openbaar Ministerie (OM), the Dutch public prosecution service, is directing the still-ongoing investigation surrounding these arrests.
A spokesperson from the Dutch equivalent of the Transportation Safety Administration said that at this point, there are no signs of external stress on the suspect. That this suspect maintained communications with a hacker syndicate known to be affiliated with the Russian government. The suspect told the other two to surveil Wi-Fi networks many times in The Hague. This guidance is from the OM.
The probe revealed that these bad actors marketed and sold the aggregated data for their own financial gain. This treasure trove of information would be a gold mine for digital espionage and cyber warfare. This relationship with COLDRIVER really demonstrates the possibilities and the need for collaboration among all stakeholders, including law enforcement, private industry, and the cybercriminal underworld.
Implications for Digital Security
Our most recent malware investigation illuminates COLDRIVER’s malware development and how it pertains to last week’s arrest. This highlights the growing danger that this elusive hacking band is becoming. For now, cybersecurity researchers are keeping a close watch on COLDRIVER’s operations. What they have seen is that COLDRIVER has been continuing to expand its arsenal and growing increasingly sophisticated in how it conducts cyber attacks.
Shields described this situation as “a collection of related malware families connected via a delivery chain.” This change carries serious implications for both institutions and people who might one day become the subject of such investigations.