One recent public investigation revealed that COLDRIVER, a cybercriminal group with historical ties to Russia, has created new malware families. This is an important development in the maturing of their cyber operations. Since May 2025, this collective has executed several high-profile, complex attacks. They have more specifically focused on high-profile civil society activists such as NGO members, policy advisors, and dissidents. The Netherlands’ Public Prosecution Service (OM) has confirmed that three 17-year-old men have been arrested. They were accused of being a front for services on behalf of foreign governments, indicating involvement in a much bigger cyber espionage infrastructure connected to COLDRIVER.
In the past, the hacking group has concentrated on credential theft but has in recent months changed its strategy. Two new malware families NOROBOT and MAYBEROBOT have been released. Zscaler ThreatLabz tracks them as BAITSWITCH and SIMPLEFIX. COLDRIVER has been instrumental in the deployment of LOSTKEYS. This pervasive info-stealing malware was recently the talk of the security community.
Evolution of Malware Families
COLDRIVER’s malware has come through several developmental cycles already, demonstrating a fast operational tempo. The group’s most recent attack waves mark a change from its long-standing patterns, for it still adapts strategically. The emergence of the “ROBOT” family of malware is evidence of a new paradigm of complicated, sophisticated cyber operations.
The growth of these malware families paralleled an increase in attacks first reported in January, March and April of 2025. It was reactions to these attacks that spurred the deployment of LOSTKEYS. This tool has been praised widely for its innovative approach to gathering sensitive information.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
The air pollution regulator’s OM also announced the arrest of three teenagers. This action particularly highlights the administration’s continued fight against cybercrime related to foreign government actors. On September 22, 2025, police detained two suspects. The third suspect, being the least of the trio involved, is awaiting trial under house arrest. Federal authorities have charged the suspects with providing services to a foreign nation’s government. They further fostered relationships with hacker organizations associated with Russian state interests.
Arrests Linked to Cyber Operations
These are advanced, sophisticated activities demonstrating a high degree of coordination by the suspects. This indicates they will continue to use them to cyberattack other high-value targets.
The implications of COLDRIVER’s new operandi and these recent arrests present an enormous difficulty for cybersecurity agencies across the globe. The ringleaders have – according to news reports – sold the personal data they collected for cold, hard cash. This data has the potential to enable digital espionage and cyberattacks.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
These reports deliver no indication of any outside interference to the suspect associated with COLDRIVER. This indicates that the work may be more orderly than we once thought.
Implications for Cybersecurity
Cybersecurity experts are taking a closer look at COLDRIVER’s latest activities and its adapting malware. In doing so, they underscore the critical need for continued, watchful federal monitoring and protective action now more than ever. The evolving threat environment Cyber threats are constantly changing, with actors such as COLDRIVER showing a worrisome level of ingenuity and adaptability.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM
Additionally, reports indicate that there are no current indications of external pressure on the suspect in contact with COLDRIVER, suggesting that these activities may be more organized than previously thought.
As cybersecurity experts continue to analyze COLDRIVER’s recent actions and evolving malware, the need for vigilant monitoring and protective measures has never been more pressing. The landscape of cyber threats remains dynamic, with groups like COLDRIVER demonstrating an alarming capacity for innovation and adaptation.