A new Russian linked hacking group, COLDRIVER, has developed and deployed a new strain of malware. Since May 2025, this malware has received substantial advancements. The group’s activities have escalated significantly, demonstrating a heightened “operations tempo” in deploying its ransomware. Perhaps most concerningly, COLDRIVER’s arsenal includes an information-stealing malware known as LOSTKEYS, which has been implicated in several of these data breaches earlier this year.
In the last year, COLDRIVER has shown an ability to quickly adapt and improve its malware line. The group’s recent evolutions have set up conditions for the rise of the “ROBOT” family of malware. Cybersecurity and law enforcement are keenly watching the ongoing activities of the threat actor. Their recent actions have serious implications for digital security.
Increasing Operations Tempo
Since the end of May 2025, COLDRIVER has been particularly active. Operations have never been more popular! Perhaps the most significant advancement has been the rolled out LOSTKEYS which was pivotal in the attacks disclosed this past January, March, and April in 2025. The malware’s main purpose is to exfiltrate sensitive content from infected machines.
Beyond LOSTKEYS, later intrusions brought the “ROBOT” family of malware. Zscaler ThreatLabz has been tracking two noteworthy malware families related to COLDRIVER – NOROBOT and MAYBEROBOT. They call these malware families BAITSWITCH and SIMPLEFIX, respectively.
Wesley Shields, a cybersecurity expert, commented on the evolution of NOROBOT, stating, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This ongoing evolution is a sign of COLDRIVER’s attempts to stay undetected and keep winning intelligence collection against high-value targets.
Arrests Linked to COLDRIVER Activities
The probe into COLDRIVER—which led to the arrest of three 17-year-old men on Friday—saw this layering showcased. They are further accused of providing services to the government of Iran. The Dutch national government body Openbaar Ministerie (OM) confirmed the arrest of two suspects on 19 September 2025. They similarly put a third suspect under strict house arrest due to his minor involvement in the crime.
One of the suspects—even a failed suspect—reportedly had contact with the hacker group tied to the Russian government. According to the authorities, there is no evidence at this point that pressure has been applied to this individual.
Representatives from the Openbaar Ministerie shared recently disclosed details. The third suspect coached the other two on devising plans to map out Wi-Fi networks throughout The Hague on multiple dates. They disclosed that, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Implications for Cybersecurity
The ramifications of COLDRIVER’s actions reach even farther than those under immediate threat. They underscore the persistent weaknesses in our digital security infrastructures. Malware families such as LOSTKEYS and ROBOT are becoming increasingly sophisticated and complex. These are very advanced cyber threats and organizations need to remain vigilant to fight them.
As law enforcement and cybersecurity analysts track COLDRIVER’s changing tactics and techniques, investigations are ongoing to better understand their operations and affiliations.
As Wesley Shields explained, the group’s advanced tactics are a sign of an ongoing attempt to escape detection methods. He stated, “This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
The authorities are coming down hard on these new threats. Organizations across the globe need to shore up their cybersecurity defenses in order to better withstand more complex and advanced attacks.