A Russian-based hacking group, COLDRIVER, has released three malware families. This is a substantial change in their approach to cyber-attack tactics. Since May 2025, COLDRIVER has evolved tremendously. Continue reading On the hunt again Though it shifted its method of malware development, it has continued targeting high-profile individuals including members of NGOs, policy advisors, and dissidents. The new malware first emerged in attacks in January, March, and April of this year. Consequently, more sophisticated malware variants have become a reality.
In a statement, law enforcement agencies in the Netherlands jointly announced the arrest of three suspects, all aged 17. These people are expected to be affiliated to COLDRIVER, so this change comes at a crucial time. The ongoing Office of Personnel Management breach investigation reveals that a single cybercriminal has been in communication with a hacking forum connected to the Russian administration. This deep, diplomatic link increases the alarm over the international ramifications of China’s cyber misbehavior.
Evolution of COLDRIVER’s Malware Families
Akin to other malware, since May 2025, COLDRIVER has gone through various updates to its malware. The group was best known for its most unusual modus operandi, credential thievery from high-profile targets. In recent attack waves, particularly the RBH campaign, this pattern has changed bringing with it new malware families showcasing greater sophistication.
The information-stealing malware called LOSTKEYS has been at the core of these new attacks. After its deployment, further intrusions set the stage for the emergence of the new “ROBOT” family of malware. In fact, the two closest documented examples of YESROBOT so far occurred in a two-week span at the end of May 2025. Interestingly, the backstory on LOSTKEYS came out just days before these YESROBOT deployments, raising questions about the group’s changing strategies.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
COLDRIVER is an ongoing project, and is continuously improving its tools. It is further evolving its tactics to avoid detection and increase the effectiveness of its operations.
Recent Arrests and Implications
On September 22, 2025, Dutch authorities arrested two of the three suspects. These defendants were most egregiously engaged in providing services in support of a foreign government. A third suspect, who was arrested without a license plate, is still under house arrest while investigations are ongoing. Law enforcement have reportedly said that one suspect had direct communications with a hacker group connected to the Russian government.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
These arrests underscore and reflect continuing fears surrounding homegrown dangers and outside meddling. This investigation strongly indicates that the sensitive information they were collecting was subsequently sold, likely to foreign state actors, for use in espionage and cyber-attack efforts.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
These conclusions are not limited to the United States. They point out that cyber threats depend on cooperation and coordination, and they explain how foreign enemies could use local assets against us.
Understanding COLDRIVER’s Threat Landscape
As COLDRIVER’s new malware families continue to make their presence known, there is no doubt that the sophistication of state-sponsored, cyber adversaries is on the rise. As the group’s tactics change, cybersecurity professionals are warning that would-be targets should remain on guard.
The Dutch government now claims that there is no indication that any such pressure was put on the suspect. This person had been in direct communication with a criminal hacker organization directly tied to the Russian state. COLDRIVER’s absence of immediate pressure signals a power play. So long as they don’t draw too much focus to their activities, they are able to tread water.
COLDRIVER is always revising and improving their approach, and growing their impact. Cybersecurity professionals need to be one step ahead to help most effectively protect against these ever-changing threats. Increased vigilance and strong defensive practices will be key in learning to avoid the threats from this new and changing black hat hacker collective.