Notably, since the beginning of May 2025, a Russia-linked hacking group named COLDRIVER has been making waves. Their tactics and operational tempo are always changing. The group has been linked to a number of advanced cyberattacks. They specifically focus on high-profile activists in civil society organizations (CSOs), policy advisors, and expatriate dissidents. Their modus operandi is clearly that of credential theft, which allows for espionage and other cyber capabilities.
In recent months, we have seen that COLDRIVER has made a dramatic shift in strategy. Faced with new malware families, such as LOSTKEYS and the ROBOT family, comprised of NOROBOT and MAYBEROT. These advancements signify an increased urgency in their operations, as evidenced by the frequency of attacks observed in early 2025.
Continuous Evolution of Malware
Since its launch, COLDRIVER has displayed a unique aptitude for circumventing malware detection capabilities. The team designed their inaugural malware, LOSTKEYS, to exfiltrate data. More recently, they created the ROBOT family of tools, a much more complex and dangerous instrument used for cyber espionage. Interestingly, NOROBOT and MAYBEROT are monitored by cybersecurity company Zscaler ThreatLabz under the threat actor names BAITSWITCH and SIMPLEFIX.
The newest malware families demonstrate a significant change in COLDRIVER’s strategy. They’ve adapted their targeting patterns but still very much continue to go after high-profile people.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
Here’s the big news from the Netherlands Public Prosecution Service (Openbaar Ministerie). They have arrested three 17-year-old young men who allegedly offered services to a foreign government. Of them, one person is said to be connected to COLDRIVER. Finally, on September 22, 2025, investigators booked two suspects into custody. Our third suspect is subject to house arrest due to his peripheral role in the crime.
“This constant development highlights the group’s efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets.”
Yet the Openbaar Ministerie has indicated that the suspects were involved in activities that would make them ripe for cyber espionage.
Recent Arrests and Allegations
Yet COLDRIVER’s successful operations depend further on their unique technical expertise. They keep local partners close, who help them run their strategies.
COLDRIVER’s recent wave of attacks marks a shift from their previously-found techniques. Their tactics have more recently focused on credential theft from individual high-value targets. With the launch of YESROBOT, it’s a dramatic change for them. Through field observations, we learned that YESROBOT had been deployed only a total of 4 days over a two-week stretch in late May. This happened just days after the public was introduced to LOSTKEYS.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” stated a representative of the OM.
A Dutch government body stated,
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
We’ve heard from many of you, our cybersecurity colleagues, who have been poring over these advances. COLDRIVER’s changing methods signal what the future of cyber warfare could look like, with increasingly sophisticated operations aiming to cripple high-value assets.
Shift in Tactics and Future Implications
COLDRIVER’s recent wave of attacks represents a departure from their previously established methods. While their tactics have focused heavily on credential theft from specific individuals, the introduction of YESROBOT marks a significant shift. Observations indicate that only two instances of YESROBOT deployment occurred over a two-week period in late May, shortly after details regarding LOSTKEYS became public knowledge.
Despite ongoing investigations, there are currently no indications that pressure has been applied to the suspect associated with the hacker group. A Dutch government body stated,
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
As cybersecurity experts continue to analyze these developments, COLDRIVER’s evolving tactics raise concerns about future cyber threats and the potential for increased sophistication in cyber operations against high-value targets.
