Cybersecurity researchers have unveiled a new wave of malware families tied to COLDRIVER, a Russia-linked hacking group. Since May 2025, COLDRIVER has released several updates to its malware. Subsequent versions have been exploited in hundreds of cyberattacks that were designed to pilfer sensitive information. Highlights among the malware families NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks these with BAITSWITCH and SIMPLEFIX respectively.
This latest instance of these malware families detection is a big step in the ever-changing fight against cyber crime. In January, March, and April 2025, COLDRIVER-related attacks surfaced. As such, a major new information-stealing malware called LOSTKEYS was released. The group’s constant ingenuity has resulted in the creation of the “ROBOT” family of malware. This recent development has made an already confusing cybersecurity landscape even worse.
COLDRIVER’s Evolving Malware
The ongoing use of COLDRIVER’s malware, pick up the pace since May 2025 shows a step up operational tempo. Wesley Shields, a cybersecurity expert, noted that “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” Given their adaptiveness, this is a clear indicator that COLDRIVER is just getting better at evading detection and increasing its operational effectiveness.
By late May 2025, COLDRIVER had deployed YESROBOT in just two cases over a two-week time span. This relatively modest usage could indicate a strategic test or just the group’s overall conservatism when it comes to releasing new malware variants. The connection between different malware families indicates a sophisticated delivery chain, described by Shields as “a collection of related malware families connected via a delivery chain.”
Arrests Linked to Cyber Espionage
On September 22, 2025, Dutch authorities arrested two suspects believed to be connected with COLDRIVER. The two suspects, 17, are charged with first-degree intentional homicide. They allegedly used their expertise to assist a foreign government and even assisted COLDRIVER’s cyber operations. A third suspect was placed under house arrest and is considered to have had a “limited role” in the case.
The Netherlands’ Public Prosecution Service (OM) has criminally investigated these activists. They think it’s possible there’s a more direct line from them to a hacker group recently revealed to have ties to the Russian government. “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” said the OM. Such a mapping would be of tremendous strategic advantage to any cyberattack or cyber espionage campaign.
According to the OM, the suspects provided the gathered data to their client upon request in exchange for payment. That’s a troubling indication that we’re losing a panoply of digital sources to digital espionage. “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” an OM representative stated.
Implications for Cybersecurity
The recent march of events around COLDRIVER showcase the ever-present hazard that state-sponsored hacking organizations continue to bring. Researchers even directly link several types of malware employed in recent attacks to COLDRIVER, making the case for greater cybersecurity imperative. As these hacking groups become more sophisticated with their approach to technology, organizations need to wake up.
Dutch authorities are still continuing their investigation of the arrested suspects connected to COLDRIVER. Cybersecurity specialists, for their part, anticipate learning more about the group’s inner workings as the investigation continues. These recommendations have important implications for national security. Both business and personal accounts would find themselves vulnerable to these advanced cyber attacks.