We’ve already seen a new wave of cyberattacks. Experts point these attacks to the Russia-linked hacking group COLDRIVER, which is behind a new wave of sophisticated malware families. No wonder cybersecurity experts are becoming more alarmed with each passing day over these trends. The group’s change in targets and methods since May 2025 has especially freaked them out.
COLDRIVER mostly focuses on high-profile targets for stealing credentials. This does not only mean the inclusion of members of non-governmental organizations (NGOs), but policy advisors and dissidents. This go-round, the coalition got smart. This change from their previous playbook not only creates confusion among advocates but creates additional barriers to pushing back against their advances.
Evolution of Malware Families
From May 2025 to today, COLDRIVER has released many types of malware families that have gone through various development cycles. Notable among these are NOROBOT and MAYBEROBOT, which are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively. This never-ending evolution is indicative of a greater operational tempo from the threat actor, as they are being forced to adapt to new and emerging cybersecurity defenses.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields.
The launch of LOSTKEYS, an information-stealing malware, adds another dangerous weapon to COLDRIVER’s extensive arsenal. This particular strain of malware is highly specialized to infiltrate systems and steal sensitive information. It has been linked to subsequent attacks that resulted in the development of the “ROBOT” family of malware.
Late May 2025, two deployments of YESROBOT were recorded soon after the public release of LOSTKEYS’ abilities. These attacks represent a notable tactical departure in COLDRIVER’s operations, possibly increasing their reach and effects against both private and public sector targets.
Investigations and Arrests
Enforcement authorities have started targeting people associated with COLDRIVER’s activities. The Dutch public prosecutor, Openbaar Ministerie (OM), has said they have reason to suspect three men of 17. They claim that one of these teens was in touch with a hacker group associated with the Russian regime.
On September 22, 2025, federal, state and local law enforcement arrested two of the suspects. As for the third suspect, he’s under house arrest due to his minor role in the case. As part of the ongoing investigation into this incident, he has been interviewed by law enforcement at least three times.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – The Dutch government body.
According to investigation reports, the third suspect often directed the other two subjects. Together, they mapped the Wi-Fi networks of The Hague through an elaborate multi-day game on several occasions.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM.
These people in turn have reportedly sold this amassed data to private clients for profit, possibly including localities considering awarding contracts to them. This data would be vulnerable to digital espionage and cyber attacks.
Implications for Cybersecurity
The recent activities of COLDRIVER highlight the increasingly sophisticated cyber threats from state-affiliated actors. As their tactics become more sophisticated, it becomes increasingly important for organizations and individuals alike to bolster their cybersecurity measures.
Cybersecurity experts caution that COLDRIVER’s malware is a “collection of related malware families connected via a delivery chain.” This interdependent nature likely provides them an added benefit of increased operational efficiency and success in releasing malicious software.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM.
As this situation develops, organizations must remain vigilant and proactive in their cybersecurity strategies to mitigate potential risks stemming from such advanced persistent threats.