A recent investigation has unveiled that the hacking group known as COLDRIVER, linked to Russia, has developed new malware families that showcase an increased operational tempo. From May 2025 on, COLDRIVER underwent a radical improvement of his malware capabilities. This evolution represents a tactical change, moving from broad nets to the more time-intensive, expensive, and totemic fish as high-value targets like NGOs, policy advisors, and dissidents.
The Dutch Public Prosecution Service (Openbaar Ministerie) credited recent attacks on national infrastructure to the group COLDRIVER. For instance in September 2025, they raised the alerts that COLDRIVER used the information-stealing malware LOSTKEYS to deploy laterally. The two suspects later arrested were both 17 years old at the time of the reported assault and were arrested on September 22. At the same time, a third suspect is under house arrest given his minimal role in the case.
Malware Evolution and Increased Activity
From the start, COLDRIVER has shown a clear history of design and implementation. The collective developed new malware versions that even led to the creation of the “ROBOT” malware family. That includes all of its variants such as YESROBOT, NOROBOT, MAYBEROBOT.
As LOSTKEYS continued to be developed and tested over the first three months of 2025, the coalition used it to successfully collect sensitive personal information. Since these changes, they released a number of new malware families that represent a shift away from their previous, well-known tactics. In its final statement, the Openbaar Ministerie noted that there was no hard evidence of undue pressure being placed on a single suspect. This unnamed agent is believed to be associated with a hackers collective affiliated with the Russian State.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Wesley Shields from Zscaler ThreatLabz commented on the evolution of NOROBOT and its infection chain:
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This adaptability to tactics showcased the ICP COLDRIVER’s dedication to furthering their overall digital espionage capabilities.
Targeting High-Profile Individuals
COLDRIVER’s touted modus operandi involves more pernicious forms of malicious targeting, like specifically seeking out high-profile targets like NGO representatives and dissidents for credential theft. This persistent focus indicates a blatant effort to gather private information. Such data could be weaponized for various ends, such as scoring political points or spying.
Even as recently as the last month, malware campaigns started by COLDRIVER have significantly changed their operation from what was the norm. With the arrival of the ROBOT family, there’s a significant new option for changing targeting strategies. This change would deepen their impact and help them be more effective on the ground.
Authorities arrested two suspects, who were allegedly tasked with mapping out Wi-Fi networks in the Netherlands capital of The Hague. This indicates they used a nuanced approach to intelligence collection before executing their cyber operations.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
These kinds of activities go a long way to show COLDRIVER’s dedication to careful preparation and planning in its cyber operations.
Arrests and Ongoing Investigation
Police used their investigation into COLDRIVER’s operations and arrests of three teens to establish a connection between COLDRIVER and the SFSS hacking group. This fear was compounded with the arrest of two of the suspects on September 22, with serious questions raised about their connections to foreign government interests. The lack of evidence pointing towards the third suspect’s deep involvement in the case led to his home arrest becoming the extent of his punishment.
One of the goals of the Dutch government is to find out how engaged and committed these people are to COLDRIVER. They’re investigating whether these people have any ties to other hacker collectives associated with national governments. What we’ve learned so far paints a picture of the importance that these youth served in carrying out the COLDRIVER operation.