A recent investigation by Mandiant Intelligence has found that COLDRIVER, a Russian-affiliated hacking group, has developed three new families of malware. These attacks are aimed at highly sensitive individuals like NGO workers, policy advisors, and political dissidents. Beginning in May 2025, the group’s on-the-ground movement-building activity has multiplied. This increase is likely a reflection of a change in their cyber-espionage tactics.
On 22 September 2025, the prosecution service (Openbaar Ministerie, OM) of the Dutch government announced that three suspects had been arrested. They are believed to be associated with COLDRIVER. The suspects, who are all 17 years old, are charged with aiding a foreign government. One of them even claimed to have been in the same grips as a hacker group under the Russian government’s control.
COLDRIVER’s Modus Operandi
COLDRIVER has gained infamy for its targeting of credential theft from high-profile and sensitive individuals. This tactic allows the cohort to gather sensitive information. They are able to use such data for anything from corporate digital espionage to ransomware attacks. She explained the extent of what the suspects were doing, saying,
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
In January, March, and April 2025 for example, COLDRIVER deployed its information-stealing malware LOCSTKEYS. This malware is one cog in a broader scheme to get into networks and pull out money, private information, anything of value, from specifically-targeted people.
Beyond those initial blows, COLDRIVER delivered major game-changing blows. They released the ROBOT malware family, further refining techniques from earlier intrusions. Zscaler ThreatLabz has been closely following the malware families NOROBOT and MAYBEROBOT. They have previously disclosed NOROBOT as BAITSWITCH and MAYBEROBOT as SIMPLEFIX.
Evolution of Malware Families
Since at least May 2025, COLDRIVER’s malware has been exhibiting a significantly higher “operations tempo,” a sign that their pace of cyber operations has ramped up considerably. Experts have pointed out that NOROBOT and its original transmission route have been in a state of perpetual mutation. Wesley Shields from Zscaler ThreatLabz stated,
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
This ongoing development is a testament to COLDRIVER’s iterative approach to outsmarting cybersecurity defenses. The group’s tactics have gotten more sophisticated as they continue to hone their malware to make it more effective.
Further, we’ve only seen two examples of YESROBOT deployment so far. These specific examples occurred within a two-week period during late May 2025. They trailed just behind the announcement of LOSTKEYS making its debut. This quick-fire series of deployments points to a reactive approach that takes advantage of weaknesses uncovered during inquests.
Links to Russian Government Affiliation
It is believed further investigation will reveal links between the foreign interests and apprehended suspects. One of the suspects even reportedly stayed in touch with a hacker group previously accused of ties to the Russian government. The Dutch government body clarified that
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – Dutch government
This statement highlights the important complications involving international cybercrime and their national security implications.
As these investigations continue, authorities remain focused on getting to the bottom of just how pervasive COLDRIVER’s operations were and who they were connected to. The OM is committed to learning how these hackers work. They need to know what kinds of threats they are to cybersecurity.