Our recent investigation has revealed the crimes of COLDRIVER. This well-known Russia-linked hacking group is perhaps most famous for developing highly sophisticated malware to target notable individuals. I showed that, since May 2025, COLDRIVER successfully released new malware families. Unlike more familiar adversaries, these threats work at lightning speed, demonstrating a stunning acceleration in their cyber capabilities. Cybersecurity experts and institutions around the world should be worried by the implications of this trend.
Cybersecurity researchers have tracked COLDRIVER’s activities closely. Their typical modus operandi focuses on credential theft from non-governmental organizations (NGOs), policy advisors, and dissidents. The newest wave of attacks indicates a dangerous new direction. That indicates the coalition is shifting its approach.
Evolution of Malware Families
Since COLDRIVER was first conceived, the malware has gone through a lot of developmental phases. Most recently, the group was found to be behind the deployment of an information-stealing malware dubbed LOSTKEYS. This malware was used in ransomware attacks discovered in January, March, and April of 2025.
According to Wesley Shields from Zscaler ThreatLabz, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This evolution is a testament to how COLDRIVER is constantly updating its strategies to meet the always-shifting realm of cybersecurity threats.
With the introduction of the ROBOT family of malware, COLDRIVER’s cyber activities have been taken to an even higher level of escalation. While YESROBOT has been deployed in various capacities, only two instances have really been documented so far. These deployments happened during a two-week window in late May 2025. The timing coincided with the release of information regarding the LOSTKEYS malware. This indicates that COLDRIVER willfully reacted so as to reap the benefits.
Arrests Connected to Cyber Activities
On September 22, 2025, the Netherlands’ Public Prosecution Service, known as Openbaar Ministerie (OM), made a historic announcement. They arrested three 17-year-old males who are believed to have provided their hacking services to governments outside the United States. One of the suspects is reportedly in communication with hacker group COLDRIVER, which has ties to the Russian government.
The OM stated, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” The suspect consistently coached the other two to exploit Wi-Fi networks specifically on multiple occasions. Yet this happened time and again in The Hague.
As a result of the ongoing investigation, law enforcement arrested two of the suspects during the local investigation. Due to the limited involvement of the third suspect in the crime, they released him under house arrest. Dutch authorities have emphasized that there are “no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Implications for Cybersecurity
The increase of sophisticated COLDRIVER’s malware families come with great risks for today’s cybersecurity practitioners. Their impending creative approach and constant metamorphosis reinforces the idea that their approach to cyber threats is becoming more sophisticated.
Shields notes that COLDRIVER’s malware families represent “a collection of related malware families connected via a delivery chain.” Yet, as these threats evolve in scope and sophistication, organizations need to be ever-vigilant while continuing to improve their cybersecurity protections to keep sensitive information safe.