In a recent analysis, cybersecurity experts made an alarming discovery. They discovered that COLDRIVER, a hacking group likely sponsored by Russia, has connected its operations to new types of malware. The organization has earned a reputation for going after prominent members of non-profit organizations (NGOs), policy advisors, and dissidents. In the time since their May 2025 malware, they’ve made some major changes. This development marks a notable shift in COLDRIVER’s operational methods, highlighting the group’s ongoing adaptation to evade detection.
There’s some very positive news coming from the Openbaar Ministerie (OM), the Netherlands’ Public Prosecution Service. They apprehended three teenage nationals as suspects and uncovered that they had offered services at sixteen to a foreign state. More than four years later, on September 22, 2025, authorities arrested two of the suspects. The third suspect is now under house arrest due to the minimal extent of his participation in the charge. Dutch authorities would not name the suspects, but one has reportedly been in contact with Cozy Bear, a hacker group closely tied to the Russian government.
Evolution of COLDRIVER’s Malware
Since last detected in May 2025, COLDRIVER’s malware has had several variations. The threat actor launched a new information-stealing malware called LOSTKEYS, which is designed to steal sensitive information from its victims. In addition to LOSTKEYS, COLDRIVER has introduced a new family of malware called “ROBOT,” which has been observed alongside two other malware families: NOROBOT and MAYBEROBOT. Zscaler ThreatLabz tracks these two families as BAITSWITCH and SIMPLEFIX, respectively.
Wesley Shields, a cybersecurity analyst with the Center for Threat-Informed Defense, provided an overview of NOROBOT’s history and evolution, and its infection chain.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
She stresses that COLDRIVER is not focused on evading detection systems. This latest evolution is a testament to their dark, creative methods and approaches to intelligence collection on high-value targets.
Recent Attacks and Changes in Modus Operandi
The most recent waves of attacks that COLDRIVER are being blamed for mark a new shift in the group’s standard modus operandi. Abolitionists have compared the theft of credentials from individuals in the NGO and political world. Recent deployments of malware would indicate a more sweeping targeting methodology.
The OM who proclaimed this joyous news, we had only ever heard of two YESROBOT deployments recorded. These deployments occurred over a two-week window in late May. Deploying LOSTKEYS This deployment occurred not long after information about LOSTKEYS became publicly known. It’s the new tactics that have law enforcement most concerned. They think such strategies would be useful to mark an upward turn in COLDRIVER’s cyber operations.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks,” – OM
This assertion highlights the gravity of the data breaches related to COLDRIVER’s implementation.
Suspects and Their Connections
In light of these recent developments, the identities of the three suspects associated with COLDRIVER’s actions have been disclosed. According to the OM, one employee exposed another two and just kept telling them how to create maps of free Wi-Fi networks in The Hague. This happened again and again.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
Federal authorities have since cleared the idea that this suspect was feeling any pressure to act. They are probing what the suspect’s ties are to the Russian-linked hacker group.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – Dutch government body