Cybersecurity professionals should all be alarmed regarding a recent trend of increasingly aggressive cyber operations. They say this increase has been caused by the Russian hacking group COLDRIVER. The threat actor has created multiple generations of pernicious malware since then, having advanced rapidly since May 2025, a sign of heightened operational tempo. The wider implications of these developments, however, have led to criminal investigations against those who are suspected of supporting the group.
COLDRIVER’s latest malware versions indicate a move towards an even more aggressive posture against their adversaries. The group gained notoriety earlier this year for their widespread deployment of information-stealing malware, LOSTKEYS. They opened their onslaught in January, March, and April 2025. These recent intrusions have led to the emergence of a new malware family known as “ROBOT.” Coupled with this new menace, the previously monitored families NOROBOT and MAYBEROBOT have had their monikers changed to BAITSWITCH and SIMPLEFIX.
Investigating Suspects Linked to COLDRIVER
Then on October 17, 2025 the Openbaar Ministerie (OM) dropped a bomb. They identified three 17-year-old males charged with providing services to a foreign government. According to media reports, one of the suspects had direct ties to a hacker group sponsored by the Russian government. This nefarious link has led to a surge in law enforcement overreach.
The OM revealed a horrifying fact. One suspect repeatedly directed the other two to scan Wi-Fi networks throughout The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
The data that these criminals are accused of making out with allegedly has big time consequences. The OM stated that this data was shared with a client for a fee and could be utilized for digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Evolving Malware Families
As the probes went on, security analysts recorded drastic evolution in the COLDRIVER’s crypto-malware. Wesley Shields, a cybersecurity analyst with the team, noted how NOROBOT changes rapidly, including its entire infection chain. He noted that the malware was initially simplified to enhance the chances of successful deployment but later reintroduced complexity by splitting cryptography keys.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
Shields described COLDRIVER’s malware families as “a collection of related malware families connected via a delivery chain.” The implication of this interconnectedness is an indicative and advanced COLDRIVER strategy that may make it more complex to defend against their cyber operations.
Recent Deployments and Future Concerns
Deploying YESROBOT has been a thrilling endeavor. Nonetheless, it was only seen just a couple of times across the entire two-week period in the last half of May 2025. This deployment took place shortly after LOSTKEYS became public. It raised doubt about whether the timing of the attacks on the military was inadvertent or willful, and their motives.
The Dutch government agency responsible for the investigation also noted, saying there are no indications that the suspect was put under pressure. This suspect is reportedly connected to a hacker group tied to the Russian government. This recent development introduces still more complications to this already-complex case.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – The Dutch government body