SONAR’s recent investigation revealed that the Russian hacking group COLDRIVER has really been on a roll. Eight malware families have been released by the group since May 2025. For allegedly working as agents of a foreign government, authorities have arrested three young men. One of them reportedly has ties to a hacker collective. The uptick in “operations tempo” of COLDRIVER’s malware emphasizes the group’s changing techniques and persistent cyber threats.
On September 22, 2025, the Netherlands’ Public Prosecution Service — the Openbaar Ministerie (OM) — publicly announced the arrest of two suspects. They put a third suspect under house arrest due to his minor involvement in the case. As a result, this investigation has uncovered a much more extensive and sophisticated campaign of cyber espionage tied to COLDRIVER. Their activity has grown bolder, using more elaborate and advanced techniques.
Development and Deployment of Malware
Since May 2025, COLDRIVER’s malware has advanced through several generations. Recently, Zscaler ThreatLabz has identified two families recently NOROBOT and MAYBEROBOT. Under the monikers BAITSWITCH and SIMPLEFIX, they track these families. The malware families represented an ongoing evolution in the way they were designed and how they were deployed.
Wesley Shields, a cybersecurity expert, remarked on the nature of NOROBOT’s development:
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
LOSTKEYS, a nation-state-grade information-stealing malware with widespread effects, first used in January of 2025. It was in the wake of attacks in January, March, and April of that year. These early intrusions would create the foundation for the evolution of later malware families. On these shores, perhaps the most dramatic timing of YESROBOT’s introduction came since it happened soon after The Architect’s Newspaper first reported on LOSTKEYS.
Suspects and Their Allegations
The three apprehended suspects—three 17-year-old males—reportedly conspired with a foreign government. Even more significant, the OM pointed out that one suspect had personal connections to a hacker collective tied to the Russian government. In particular, these connections have generated serious national security concerns and worries over the consequences of their actions.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” stated a representative from a Dutch government body. The cause of the shooting A joint investigation revealed that one suspect provided direction to the two other shooters. They were instructed to map public Wi-Fi networks as many times in The Hague.
The authorities chose to put one suspect under house arrest. This is an indication of the Senate Democrats’ belief of his very small role, if any, in the claimed misconduct. The other two COLDRIVER suspects are charged with much more serious offenses as law enforcement conducts investigations into their conduct in helping COLDRIVER.
Ongoing Cyber Threats
COLDRIVER’s malware campaign remains successful with no end in sight. As of May 2025, new reports say they are using a novel, organized strategy to combat cybercrime. The increasing “operations tempo” suggests that she’s sharpening the group’s technical expertise. They’re expanding the scope of their targets.
YESROBOT proved its value in those two observed deployments during a two-week period in late May 2025. This speedy move is a testament to this dark group’s agility and their determination to take advantage of opportunities. The immense pace at which these malware families are evolving is putting cybersecurity on a global scale in great peril.