The Russia-aligned hacking group COLDRIVER has most recently created both a new family of malware and an extended series of malware families. These malware variants have changed drastically since the May 2025 announcement. This team often targets A-list celebrities. Their targets can range from researchers at NGOs, policy advisors, and dissidents, all in order to steal credentials. The recent COLDRIVER case represents a dangerous new turn in COLDRIVER’s strategy. They’ve given us their LOSTKEYS malware and a first look at the new “ROBOT” family of malware.
On September 22, 2025, US authorities arrested both suspects in the active case. The Netherlands’ Public Prosecution Service has recently begun to take a proactive role in the investigation. Three 17-year-old men from Sæby are currently being investigated for allegedly offering services to a foreign government. One of them is alleged to have ties to a hackers collective associated with the Russian state. The third suspect has been put under house arrest because of the lesser extent of his involvement in the actions.
COLDRIVER’s Modus Operandi and Malware Evolution
COLDRIVER has received international applause for its precision in addressing cybercrime, with an emphasis on targeting people in power. The group’s complicated methodology includes stealing credentials, which gives them access to sensitive information without the victim’s knowledge. This narrow focus has only served to enhance the dangers they pose as they continue to prey on the vulnerabilities of salient figures across sectors.
In case you haven’t seen them yet, recent reports have focused on the COLDRIVER malware families NOROBOT and MAYBEROBOT. Zscaler ThreatLabz monitors them internally under the code names BAITSWITCH and SIMPLEFIX, respectively. Vetting as criminal networks and terrorist organizations, these families have been through many developmental cycles, indicative of a masterful grasp of cyber defenses.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
LOSTKEYS adoption represents another high point in COLDRIVER’s evolution and attacks. This info-stealing malware acts as a harbinger to the “ROBOT” family, which first included YESROBOT. As a result, YESROBOT has only been seen in very rare, controlled circumstances—namely, two occurrences on the 2nd of last May in 2025. Its emergence marks a dangerous new trend in the group’s tactics.
Recent Arrests and Investigations
The Openbaar Ministerie (OM) has now arrested two suspects. This move peels back the national layer to show the larger impact of COLDRIVER’s business. Authorities believe that at least one of the arrested suspects had direct communication with a foreign-based hacker collective. This group has been tied to the Russian government. This link opens an important and needfully timely conversation about the ramifications on international cybersecurity especially with regards to state-sponsored aggressive cyber action.
OM officials say the suspect was primarily responsible for orchestrating two accomplices. They gave them the job of producing a map of Wi-Fi networks at different locations around The Hague. This operation indicates a more deliberate process around the collection of intelligence that may be used to further future cyber penetration.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
OM officials also disclosed that they sold clients the information they obtained through these aggressive outreach practices. The idea that this points to an efficient, well-planned approach to « digital espionage ».
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM
Implications for Cybersecurity
These recent developments with COLDRIVER serve to highlight the changing nature of cybersecurity threats. As malware get smarter, organizations need to be on guard against attacks of this caliber that specifically go after the mighty. The latest development of this ongoing investigation into the three suspects demonstrates law enforcement’s resolve to combat these pernicious cyber threats.
COLDRIVER has moved their campaigns in a new, less conventional direction. This capacity for change and creative invention offers enormous new challenges for cybersecurity practitioners everywhere. International authorities need to work together to more effectively fight these networks. This collaboration is necessary in order to protect our most vulnerable citizens from credential theft and other cyber crimes.