The international cybersecurity landscape faces a heightened threat as the hacking group COLDRIVER, linked to Russia, has developed a series of sophisticated malware families since May 2025. The group’s activity has surged in the wake of that victory. This significant uptick in operational tempo has raised alarm bells among cybersecurity professionals and law enforcement officials. Recently, the Dutch Public Prosecution Service (Openbaar Ministerie) confirmed that they have arrested two COLDRIVER related suspects. At the same time, a third suspect wears an electronic monitor and remains under house arrest due to his relatively minimal participation in the actions.
Examples of new evolved malware from COLDRIVER, including success stories NOROBOT and MAYBEROBOT. Zscaler ThreatLabz has dubbed these attack methods BAITSWITCH and SIMPLEFIX, respectively. From a purely tactical standpoint, these developments represent a significant change in the group’s modus operandi to facilitate cyberattacks. Looks like COLDRIVER is improving its playbook to make its malicious software less detectable and more effective.
Increasing Operations Tempo
Since its launch, COLDRIVER has proven to be an increasing rate of innovation on a frighteningly rapid scale. Cybersecurity analysts have tracked the group’s malware, which has gone through multiple generations. Taken together, this quick-paced development is indicative of an increased operations tempo. COLDRIVER is currently ramping up their cyber espionage and data exfiltration…
Under COLDRIVER, we saw targeted attacks in January, March, and April of 2025 over the last few months. These intrusions ultimately resulted in the deployment of a new information-stealing malware named LOSTKEYS. Going largely unnoticed was the introduction of a new malware that has raised major alarm bells in cybersecurity circles. It proves that COLDRIVER is able to perform extremely complex and destructive cyber operations.
During the course of operations mentioned above, COLDRIVER began deploying the “ROBOT” family of malware. In many ways, this new wave of attacks represents a stark progression in their strategy, parallel to their unprecedented pace of emergence. Just two cases of YESROBOT deployment have been logged to date. In late May of this year, within a two-week period, these deployments took place, just after the public found out about LOSTKEYS.
Arrests and Investigations
As COLDRIVER’s threat continues to grow, Dutch investigators have done some remarkable things in investigating the group. On September 22, 2025, law enforcement arrested two out of the three suspects. These 17-year-old men are observed as providing services to a foreign government. One of these people is now suspected of having ties to a hacker collective with origins in the Russian government. This begs the question of whether their entire ecological effect is adverse.
Police have been unable to properly question the third suspect. He is currently under house arrest due to his peripheral involvement in the current investigations. Additionally, young people are becoming more and more entangled in the fiendish world of serious cybercrime. This trend is especially worrisome when considering the ways in which hacker groups such as COLDRIVER recruit and manipulate vulnerable targets.
The Openbaar Ministerie is still working with cybersecurity researchers to test COLDRIVER’s malware and follow its path. This new push is designed to bring the full threat of today’s cyberpunks to bear. It would deter future attacks from developing from this small extremist group.
Cybersecurity Implications
The current work of COLDRIVER serves as a reminder that even in the cybersecurity community, a constant state of watchfulness is required. It will be researchers and law enforcement agencies, usually in that order, who are closely watching the group’s tactics, techniques, and procedures as they emerge. We want to leave analysts with the knowledge that by learning the detailed specifics of COLDRIVER’s malware, organizations can continue to harden their defenses against attacks like these.
The heightened operational tempo seen in COLDRIVER’s activities is a clarion call for security practitioners everywhere. Cyber threats have gotten more advanced than ever before. Organizations need to be constantly improving and evolving their security procedures and practices and adopting a mindset of preparing for inevitable intrusions.