A recent joint investigation by Mandiant and BBC News uncovered that the Russian-linked hacking group COLDRIVER has developed three new families of malware. This announcement represents a major escalation in their cyber campaign. On September 22, 2025, the Public Prosecution Service (OM) in the Netherlands announced groundbreaking conclusions. This announcement followed a period where authorities arrested and placed two offenders under house arrest, and identified a third, all three being 17 years old. Since its creation in May 2025, this new malware has undergone significant changes in its development. It’s a testament to how quickly things are moving over at COLDRIVER.
The group is known for its long history of shaming powerful, high-profile people. That includes the members of non-governmental organizations (NGOs), policy advisors and other dissidents, with the principal aim of purloining their credentials. The recent attacks are a divergence from this classic pattern of operation.
COLDRIVER’s Evolving Malware Landscape
This represented a notable evolution in COLDRIVER’s malware since detection starting in May 2025. During this time, a new information-stealing malware, LOSTKEYS, popped up on the radar. It has been linked to raids that took place in January, March and April of this year. The latest breaches drove the development of the “ROBOT” family of malware. This family consists of two variants NOROBOT and MAYBEROBOT. These variants are currently tracked as BAITSWITCH and SIMPLEFIX by Zscaler’s ThreatLabz.
Wesley Shields, a cybersecurity expert, commented on this situation, stating, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This versatility emphasizes a smart tactical approach in COLDRIVER to avoid detection systems.
COLDRIVER’s seemingly constant refinement of their malware shows a clear increase in activity and sophistication. The OM highlighted that “the information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Recent Developments and Suspects
OM’s investigation into COLDRIVER resulted in the arrest of two suspects on September 22, 2025. A third suspect is under house arrest because of their minor involvement in the operation. The Dutch government body stated, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
On at least three different occasions, the suspects assisted police detectives in mapping out Wi-Fi networks in The Hague. The OM noted that “this suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” revealing a more organized approach to their cyber endeavors.
State officials have been keeping a watchful eye on the actions and planning of these teen-age perpetrators. It’s important to have a sense of how their activities relate to greater patterns in cybercrime linked with state-sponsored adversaries.
Implications for Cybersecurity
The advent of COLDRIVER’s new malware families marks a new threat and challenge towards cybersecurity agencies around the world. As they adapt their techniques for evading detection and enhancing their operational capabilities, organizations must remain vigilant against potential threats. Yet the sophistication of their malware suggests a long-term investment in intelligence collection with the intent of achieving high-value targets.
Their implications go well beyond the realm of cybersecurity. They foreshadow a darker international security landscape in which digital espionage grows more widespread. As this story continues to develop, cybersecurity professionals are advising organizations to improve their resilience against these ever-changing threats.