The nation’s foremost cybersecurity experts just released a troubling analysis. They determined that COLDRIVER, a cyber hacking group identified with Russia, has developed three additional COLDRIVER families of malware. Netherlands’ Public Prosecution Service (OM) has confirmed the arrest of three 17-year-old suspects. They were accused of installing malware on behalf of a foreign government and introducing it to COLDRIVER. The group’s recent escalation in tactics implies a change in the group’s operational approach and tactics employed.
Often, COLDRIVER steals the communications of high-profile targets, including employees of non-governmental organizations (NGOs), policy advisors, and political dissidents. Their main goal has been credential theft, which they’ve pursued through increasingly elaborate cyber intrusions. Since May 2025, COLDRIVER has been through six versions of its development cycle. This new development’s fast-moving nature leads many to question the group’s competency and motives.
Recent Malware Developments
From January to April 2025, COLDRIVER was able to successfully deploy information-stealing malware which they developed—referred to by them as LOSTKEYS. This malicious software serves to facilitate additional intrusions. Through this effort it has helped lead to the evolution of the “ROBOT” family of malware. The ROBOT family includes two notable variants: NOROBOT and MAYBEROBOT.
Zscaler ThreatLabz tracks these malware variants under the names of BAITSWITCH and SIMPLEFIX, respectively. NOROBOT and MAYBEROBOT have transformed, reflecting COLDRIVER’s talent at partially changing its approach. They are successful in evading detection, and they are still zeroing in on sensitive information.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
The new COLDRIVER wave of attacks shows a clear break from their overall strategy. Analysts are starting to see this play out in a wider array of tactics, which could be an indication that they are trying to broaden their targets and approaches.
Arrests Linked to COLDRIVER Operations
On September 22, 2025, Dutch authorities seized two of the three suspects from the case. They dragged the third suspect in, placing him under house arrest of sorts. The OM has indicated that one of the suspects maintained contact with a hacker group affiliated with the Russian government. This contact is said to have included direction to the other two suspects to survey for Wi-Fi networks in The Hague on several occasions.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
That investigation revealed that all three suspects were selling the stolen information to a third party for a return payment. Unfortunately, this act opens the door to digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Feds are still investigating these actions. You can read more about these activities here. They have stated that there are currently “no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Implications for Cybersecurity
The independent and resourceful nature of COLDRIVER’s new malware families represents some of the most serious threats to cybersecurity frameworks around the world. With activity ramping up in since May 2023, specialists have been warning about the risk of a surge in digital espionage.
Zscaler ThreatLabz describes COLDRIVER’s malware families as “a collection of related malware families connected via a delivery chain,” which underscores the complexity and interconnectedness of these threats.
Cybersecurity analysts remain hard at work dealing with the crisis. These changes have consequences beyond specific targets and introduce serious national security implications at a time of increasing international tension.