A recent investigation has unveiled that COLDRIVER, a hacking group linked to Russia, has developed new malware families in a marked increase of their cyber activities. Three young men in the Netherlands have now been arrested. They are believed to have provided services for the foreign government, suspected ties to COLDRIVER.
High-profile targets are the focus of COLDRIVER. This includes people connected to civil society, NGOs, policy advisors, and dissidents, with the explicit intent of stealing their credentials. Future malware since last still being tested since May 2025, their most recent malware has undergone multiple iterations. This shows a growing operational tempo of this threat actor. That intensification is amplified by the group’s recent departure from their historical playbook.
New Malware Families and Increased Activity
Malware associated with COLDRIVER includes prolific families like NOROBOT and MAYBEROBOT. As has been tracked by cybersecurity researchers at Zscaler ThreatLabz under the codenames BAITSWITCH and SIMPLEFIX, respectively. Using COLDRIVER, the attack waves were systematically launched with each of the three attack waves starting in January, March and April of 2025. During all of these attacks, a new information-stealing malware named LOSTKEYS took center stage.
Even we were surprised when, late in May, the particulars of LOSTKEYS emerged. A few months later, we saw two examples of a different malware known as YESROBOT. This change is indicative of a significant increase in engagement. It indicates that COLDRIVER is already changing its approach to become more operatively effective.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
The connection between these malware incidents and the recent arrest of three suspects adds a layer of intrigue to the ongoing investigations. Reiniger by the Netherlands’ Public Prosecution Service (OM) on September 22, 2025. One of them actually had direct communications with a cyber-hacker group affiliated with the Russian state. This new connection is worrying some over international cyber cooperation.
Arrests and Allegations
The OM has further communicated that two of the suspects were arrested and that the third suspect is under house arrest. One defendant even emerged as the ringleader when it came to training others, according to reports. Their assignment was to map Wi-Fi networks as many times as possible around The Hague. These activities strongly indicate a consistent attempt to enable cyber operations in support of COLDRIVER’s nefarious accretions.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
The Dutch government body has clarified that, at this stage, there are no indications that pressure has been exerted on the suspect linked to the Russian hacker group. This recent revelation is deeply troubling because it suggests the remarkable level of influence that foreign actors could have over people inside the Netherlands.
Implications for Cybersecurity
Cyber security researchers are still deeply engaged with monitoring COLDRIVER’s campaign and developments with their malware. Their results carry significant national security and individual privacy implications. These guys, their attacks are becoming more sophisticated, it’s deeper, it’s broader, it’s wider. This further highlights the need for high-profile targets to do more to bolster their cybersecurity standards.
For one, it shows how actively young suspects are engaging in cyber activity, which underscores a potential recruitment tactic leveraged by hacking groups. This alarming reality illustrates how easily wealthier individuals can manipulate and coerce sensitive demographics.