This is a major escalation in their cyber activities. To date, COLDRIVER’s malware has evolved significantly since it was first discovered in May 2025. It has now produced different families, YESROBOT, NOROBOT and MAYBEROBOT. The cybersecurity firm Zscaler ThreatLabz has been monitoring NOROBOT and MAYBEROBOT using the aliases BAITSWITCH and SIMPLEFIX, respectively.
COLDRIVER’s activities have surfaced just after the Netherlands’ Public Prosecution Service announced investigations into three 17-year-old suspects. These people supposedly received money in exchange for providing services to a foreign government. One of those suspects is someone who was allegedly in communication with a hacker collective known to have connections to the Russian state. Intriguingly, two of the alleged perps were arrested on 22 sep 2025, and the third is still under house arrest.
Evolving Malware Landscape
COLDRIVER’s malware has been used in several cyber campaigns, notably the deployment of the information-stealing malware dubbed LOSTKEYS. Attackers have first used this malicious software in January, March, and April of 2025. The cases show a distinct trend of heightened sophistication and purpose.
The changing nature of COLDRIVER’s malware is an important touchpoint to illustrate a strategic view toward cyber threats. Wesley Shields from Zscaler ThreatLabz noted that “NOROBOT and its preceding infection chain have been subject to constant evolution—initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This latest development is a positive sign that COLDRIVER is continuing to deal with emerging security practices. It is simultaneously improving its capabilities to deliver those attacks more effectively.
“A collection of related malware families connected via a delivery chain,” – Wesley Shields.
This is because the threat landscape is always evolving. COLDRIVER’s activities are indicative of a bolstered “operations tempo,” and indicate that COLDRIVER is developing a more aggressive posture to its cyber operations. This direction can be seen most dramatically in the group’s latest malware families. They are designed in a way that capitalizes on their vulnerabilities and further foreign objectives of espionage and data theft.
Investigation and Arrests
The Netherlands’ Public Prosecution Service is seeking the imposition of civil law penalties on three suspects as a result. This investigation is the latest toward detangling the connections between local actors and international criminal syndicates. In the aftermath, authorities disclosed that one of those suspects was the ringleader. He ordered the other two to repeatedly scan Wi-Fi networks around The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM.
These shady operators, sometimes in cooperation with telcos, purportedly sold the gathered data for the right price. That would increase the risk of digital espionage and cyber attacks. The Dutch government body emphasized that “there are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
This investigation underscores the interconnectedness of local operatives and international hacking groups, raising concerns about national security and the implications for cyber defense strategies.
Implications for Cybersecurity
The discovery of COLDRIVER’s malware families represents a major threat for organizations around the world. The ability for these threats to change overnight will always leave a need for capable cybersecurity professionals that are ever-vigilant. Experts unanimously agree that the world of cyber threats is growing more complicated and sophisticated by the day. It is important that treasure-holding organizations be proactive and prepared for these complex attacks.
These recent disclosures about COLDRIVER serve as a reminder of the need for better communication and cooperation between cybersecurity researchers and law enforcement. Through collaboration and the exchange of resources, they will be more equipped to face the hurdles presented by threat actors such as COLDRIVER.
