In the latest investigative report, Check Point Research has exposed the actions of COLDRIVER, a Russia-linked hacking group that’s recognized for its intricate cyber operations. Since May 2025, COLDRIVER has radically evolved, pivoting to new strategies and crafting entirely new malware families. This group mainly focuses on high-profile members of non-governmental organizations (NGOs), policy advisors and dissidents, mostly for credential theft.
The recently released attacks on Russia’s COLDRIVER infrastructure have signified a further escalation in COLDRIVER’s cyber combat tempo. This transition appears to occur just following public disclosure of a new malware variant called LOSTKEYS by the 314A group. This variant has been linked to many outbreaks that happened earlier this year. Fortunately, the Netherlands’ Public Prosecution Service (Openbaar Ministerie or OM) has risen to the occasion to address these developments. They’ve arrested multiple perpetrators behind these nefarious cyber deeds.
COLDRIVER’s Evolving Modus Operandi
COLDRIVER’s standard modus operandi involves the use of malware to compromise the digital networks of its targets. The threat actor has been attributed to multiple malware families. Importantly, they are connected to BAITSWITCH and SIMPLEFIX, which translate to NOROBOT and MAYBEROBOT in the other circuit, respectively. In the words of cyber experts, cyber security threats always evolve. Cyber experts have been monitoring NOROBOT and its chain of infection.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
Over the last few months these attacks have resurfaced, with escalating incidents occurring in January, March, and April of 2025. Due to this, we introduced LOSTKEYS, a devastating information-stealing malware that had dramatic impact on multiple prominent targets. In short, COLDRIVER has subverted its own tactics, techniques, and procedures in a deliberate pivot with the recent debut of the “ROBOT” family of malware.
In late May 2025, we announced LOSTKEYS to the world. Shortly thereafter, we saw two cases of a related malware variant known as YESROBOT in the span of two weeks. This deviation from routine activities suggests that COLDRIVER is actively adapting its strategies to stay ahead in the competitive landscape of cyber espionage.
Arrests and Investigations in the Netherlands
On September 22, 2025, the Openbaar Ministerie made publicly known the arrest of these two suspects. These guys, all of them 17 at the time, are thought to have had indirect ties to a foreign government through their hacking. One of the suspects is said to have had direct contacts with a hacker group that is under direction of the Russian government.
Law enforcement have already made multiple arrests. Due to the minor degree of this suspect’s involvement in the case, they had put him under house arrest. The suspect often led the other two in how to triangulate Wi-Fi networks in The Hague. Here’s what we’ve gleaned from the OM.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
Initially, the probe revealed that these defendants resold the harvested data to buyers for profit. This has alarming repercussions for digital spying as well as future cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Government Response and Future Implications
The Dutch government certainly seems to be on the ball. They indeed ruled out that at this time anybody was putting any external pressure on the suspect linked to the Russian hacker group. This new development raises some significant questions relating to interstate cyber warfare. This is why governments around the world, including our own, are moving fast to protect their digital infrastructures.
While COLDRIVER advances its tactics and technologies, cybersecurity professionals highlight the need for potential targets to remain on guard. The increasing number and magnitude of these attacks highlight the importance of requiring more robust security. NGOs, policy advisors, and other public figures should fortify themselves to the growing intensity of these threats.