As cybersecurity researchers, we have observed a staggering increase in malicious cyber activities. They blame this uptick on COLDRIVER, a malware group linked to Russian state-backed hackers. This group has gotten a terrible rap. They purposely go after high-profile targets, like those associated with NGOs, policy consultants and dissidents. COLDRIVER is intensifying these efforts by honing in on credential theft. This recent malware development is indicative of a broader and more alarming shift in tactic and tempo.
As of May 2025, COLDRIVER has been linked to numerous variants of malware that have had multiple iterations. These advancements are a continuation of tightening pours and the importance placed on cyber espionage. Earlier this year, they announced their use of information-stealing malware known as LOSTKEYS to further bolster their campaign. In January, March and April of 2025, the coordinated unit set loose waves of attacks. This move represents an unmistakable break from their long-standing operating traditions.
Recent Developments in Malware Families
COLDRIVER’s malware has matured greatly, leading to the development of the “ROBOT” family of malware. Within this expansive context, researchers closely monitored the deployment of the YESROBOT. In fact, it was only recorded on two occasions over a tame two-week stretch in late May 2025. Together, these examples paint a picture of the group’s tactical sense for keeping low while furthering their offensive cyber campaign.
In addition to YESROBOT, COLDRIVER has been associated with other malware families such as NOROBOT and MAYBEROBOT. These types of variants have been monitored by Zscaler ThreatLabz under the respective names BAITSWITCH and SIMPLEFIX. The constant change of these malware families is a testament to COLDRIVER’s industry focus on perfecting their tradecraft to evade detection technologies.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
“This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.” – Wesley Shields.
Legal Actions in the Netherlands
In a somewhat surprising accompanying move, the Netherlands’ Public Prosecution Service (Openbaar Ministerie) has announced that it will make a big step. They accused three 17-year-old males of rendering services to a foreign government. One entity claims that one of the suspects had been in contact with an international hacker group. This cyber threat group has been tied directly to the Russian government. On September 22, 2025, the Openbaar Ministerie arrested the two suspects. The third suspected accomplice is unique in that he is on house arrest due to his minimal involvement in the case.
FBI agents and authorities have tied these individuals to COLDRIVER’s operations. News reports have surfaced indicating that one of the suspects constantly told the others to plan out Wi-Fi networks in The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM).
Each of these activities gathered helpful information. We can assume this data was directly or indirectly monetized to fund a new generation of digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM).
Monitoring COLDRIVER’s Activities
Cybersecurity experts are watching COLDRIVER’s activities very closely. Their recent expansion of operations should give us serious pause regarding what that could mean for international security, and for the privacy of individuals globally. The Dutch government has stated that so far there are no indications for external pressure on the suspect. This person had direct ties to an underground hackers group under the direction of the Russian government.
COLDRIVER is shifting gears. Therefore, cybersecurity professionals and securities regulators alike, at both the federal and state levels, must remain ever-alert to new and dangerous threats. And their malware is advancing at an alarming pace. It illustrates the continuing need for robust defense measures to keep sensitive data out of the hands of high-value targets.
