COLDRIVER, a well-known hacking group connected to Russia, has been the source of three new strains of malware. These strains have changed quite a bit even since May 2025. Recent independent investigations indicate that COLDRIVER has adapted its strategy. Now, it is expanding its information operations into cyberspace, moving beyond high-profile targets such as non-governmental organizations and dissidents. This article recaps recent progress on COLDRIVER’s work and what it means for the future of cybersecurity.
COLDRIVER has become infamous for its information-stealing malware, especially the LOCKED KEYS malware. This malware is a wider malware family that includes the “ROBOT” variants, including NOROBOT and MAYBEROBOT. This is where cybersecurity experts and law enforcement agencies both are raising alarms about recent developments. This worry grew after a wave of attacks attributed to COLDRIVER in early 2025.
Evolving Malware Campaigns
The malware family linked to COLDRIVER has gone through many changes since the malware first emerged. Those most recent attacks in January, March, and April of 2025 pushed everything over the edge and were the catalyst for deploying LOSTKEYS. As recent intrusions have documented, these operations are growing in sophistication. ROBOT’s birth from malware evolution This evolution is making possible the rise of the ROBOT family of malware.
Wesley Shields, a cybersecurity expert, commented on the evolution of this malware chain:
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
COLDRIVER’s malware shows the technical complexity supported by a robust cybercriminal business model. This indicates that they are perfecting their methods to avoid detection while maximizing their effect.
At the end of May 2025, we witnessed our second successful instance of YESROBOT deployment. These all happened within a two-week span, just weeks after LOSTKEYS made its public debut. This recent uptick in activity indicates a higher operational tempo from COLDRIVER, which is cause for concern regarding the group’s possible intentions and capabilities.
Law Enforcement Response
In response to these cyber threats, the Netherlands’ Public Prosecution Service (OM) has launched an investigation into COLDRIVER’s activities. Just last week, their cyber division, CIFUS, arrested three 17-year-old suspects accused of offering services to a foreign state. One of the suspects is said to have kept in touch with a hacker outfit tied to the Russian state.
The OM highlighted the role of one suspect in mapping Wi-Fi networks in The Hague:
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
The agency further revealed that it sold the collected data to its clients. This practice risks making U.S. infrastructure more vulnerable to digital espionage and cyberattack.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Today, two of the suspects are in custody while a third suspect is under house arrest, given that their involvement was minimal.
Implications for Cybersecurity
While COLDRIVER’s actions present tangible threats to communities, their consequences are more far-reaching. They underscore the growing sophistication of digital tactics used in warfare and espionage. The development of their malware indicates an incredibly high level of organizational coordination to respond to measures developed and implemented by security experts trying to stop them.
The Dutch government seems to understand what’s at stake. As they have noted, so far from what we can tell, there is no indication of pressure being brought to bear on the suspect associated with the Russian cybercriminal cartel.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
As the investigations continue, cybersecurity experts are calling for organizations to ramp up their defenses against such fast-evolving threats.