A recent investigation has revealed that the hacking group COLDRIVER, linked to Russian cyber activities, has developed three new malware families. All of these innovations have been developed since May 2025 and represent a significant progression in the membership’s approach and targets. Cybersecurity experts are keeping a wary eye. As COLDRIVER’s actions escalate, so too does the risk they pose to high-profile individuals and organizations across the world.
COLDRIVER has been linked to other malware such as NOROBOT and MAYBEROBOT. Zscaler ThreatLabz monitors these threats using the monikers BAITSWITCH and SIMPLEFIX, respectively. COLDRIVER, as activists know it today, has a rich history in researching credential theft from non-governmental organizations, policy advisors, and dissidents. The recent waves of attack show a significant change in their operational priorities and focus, and point to possible new targets or ways of operating.
Evolution of Malware Tactics
Since its first appearance, COLDRIVER has evolved rapidly in its malware creation. The newly discovered families of malware, especially LOSTKEYS and ROBOT, are shining examples of this new evolution. LOSTKEYS is considered information-stealing malware, while ROBOT is a much larger collection of malware.
Wesley Shields, a cybersecurity expert and member of the NOROBOT advisory board, reflected on how NOROBOT’s transformation is still underway. He stated, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This design flexibility for malware makes it possible for COLDRIVER to evade detection and maximize its effectivity in cybercriminal enterprises.
Suspects Apprehended in Connection with COLDRIVER Activities
In another shocking development, the Netherlands’ Public Prosecution Service— Openbaar Ministerie (OM) — announced something unprecedented. They have arrested three 17-year-old men accused of offering their hacking services to the highest-bidding foreign government. The most recent of these suspects is said to have ties to the Russian-affiliated hacker group. Law enforcement arrested two of the suspects on September 22, 2025. The third suspect is still under house arrest after being interviewed.
The OM’s conclusions indicate that these suspects were directly involved in the mapping of secured Wi-Fi networks in The Hague. They then went on to do this three more times. The agency reported, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
They disclosed that they provided all of the information collected through these activities to a shadowy client. In return they were paid a fee for this service. This treasure trove of data might enable widespread digital espionage and cyber attacks.
Implications for Cybersecurity
COLDRIVER’s constantly changing malware landscape and the recent arrest of key operators signals a worrying state in cybersecurity. The Dutch government has stated that there are currently no indications of pressure on the suspect connected to the Russian hacker group. Are all international cybersecurity threats merely cyber crime by another name, and therefore outside the realm of state-sponsored cyber ops?
The Openbaar Ministerie emphasized the seriousness of these developments by stating, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Cybersecurity professionals are all, perhaps justifiably, on the lookout for these developments. It is important for private sector and civil society actors to stay on their toes against growing dangers, such as those presented by COLDRIVER.