COLDRIVER, a hacking group with connections to the Russian government, is one such group that has recently started to receive attention. This interloper is always honing their tactics and creating new malware. This new, dangerous group specifically focuses on high-profile targets such as NGO members, policy advisors, and dissidents. Their one goal is to get in and steal credentials. Recent collaborative research from BLACKHAT, STAREAST, and GRASSMARLIN shows that COLDRIVER attack waves have evolved dramatically. This change to a more demanded operational tempo isn’t meant to be one-to-one.
Beginning in May 2025, COLDRIVER has been tied to a different strain of malware that has gone through several versions. This development is a sign of a more offensive posture and approach, one focused on penetrating specifically targeted environments. COLDRIVER contains examples of a number of other malware families, including NOROBOT and MAYBEROBOT. These are better known as BAITSWITCH and SIMPLEFIX.
Recent Attack Waves and New Malware Families
In the first half of 2025, COLDRIVER developed particularly pointed attacks released in January, March and April. The crew employed a novel info-stealer malware they dubbed LOSTKEYS over the course of these operations. These recent intrusions catalyzed the development of the new “ROBOT” family of malware. This development is a very serious and alarming escalation in COLDRIVER’s activities.
In late May 2025, two notable acute cases of this new malware variant, YESROBOT, appeared. These reports appeared none too soon, within a two week span. The arrival of these malware families indicates a troubling turn in the growing deadly hand of COLDRIVER’s cyber capabilities.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Zscaler ThreatLabz carried out the findings and analyses on COLDRIVER’s malware. Their research numbers the state-of-the-art tactics employed by this sophisticated hacking group.
Investigations and Suspects
The Netherlands’ Public Prosecution Service (Openbaar Ministerie) has taken a proactive stance in investigating COLDRIVER’s activities. Federal authorities have charged three 17-year-old men with spying for a foreign government. One of these people, as it turns out, has been in close contact with a Kremlin-backed hacker group.
On September 22, 2025, law enforcement arrested two of the perpetrators. The other one of the three suspects, Carlos Oliveira, is now on house arrest due to his “limited role” in the case. The probe found that one of the suspects ordered the others to fly reconnaissance missions to record the geographical location of Wi-Fi networks on several occasions in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
Those activities harvested immense amounts of information, which was sold back to unsuspecting clients. This sort of practice will open the door wide to digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Ongoing Monitoring and Implications
Fortunately, the Dutch government body that monitors the basin has some very welcome news. Yet they could not find evidence of pressure on that one suspect who interacted with the Russian-affiliated hacker group. This is a positive indication that investigations will proceed unimpeded by outside entities.
As authorities increase their oversight of COLDRIVER’s business practices, the repercussions of these findings reach further than across our national border. Cybersecurity professionals are calling for increased vigilance from all organizations vulnerable to the hazards posed by malign actors such as COLDRIVER.