This week, cybersecurity researchers at Mandiant unveiled a new malware campaign connected to the Russia-based hacking group COLDRIVER. This change in implementation is noted as COLDRIVER has shown an operational tempo, with new malware variants appearing since May 2025. Law enforcement agencies, particularly in the Netherlands, are very focused on these sorts of activities. According to news reports, they have placed three teenage suspects under scrutiny for their reported ties to the group.
COLDRIVER’s most recent efforts have focused on malware, showcasing a sophisticated, evolving arsenal used over a period of time. Most alarmingly, the group released the LOSTKEYS malware in January 2025, an advanced espionage tool engineered to harvest sensitive data including call logs and timestamps. The successful implementation of LOSTKEYS opened the door for newer malware families to follow in its footsteps, such as the recently discovered ROBOT family. Our analysis of these new strains points to a deliberate change in COLDRIVER’s tactics and capabilities.
Increased Operations Tempo
From May 2025, COLDRIVER’s malware has made two progressions, a sign of increased attack frequency. The group’s activity in January, March, and April of 2025 has been especially effective, ultimately resulting in the deployment of LOSTKEYS. This information-stealing malware has developed into one of the most dangerous threats, with its use tied to numerous cyber espionage campaigns.
Wesley Shields, a cybersecurity expert at the University of Maryland’s National Cybersecurity Center of Excellence, discussed the adaptability of COLDRIVER’s malware.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
The development of the ROBOT family is another example of COLDRIVER’s continued efforts to perfect its malware arsenal. The list’s nearly daily updates attest to how remarkably active these hackers are. They are just as mercilessly strategic in their thinking.
Legal Consequences and Investigations
The Dutch Public Prosecution Service has confirmed suspicions against three 17-year-old men for the offence of assisting a foreign power. Of particular interest, one of these suspects is alleged to have continued communication with COLDRIVER. The manhunt for these suspects received significant national media attention, culminating in two of the suspects’ arrests on September 22, 2025. The third of the suspects, a 20-year-old man, is currently on house arrest due to what authorities call a “very limited role” in the case.
The Openbaar Ministerie stated that one of the suspects physically coached the other two. Working in pairs, they physically walked through the city mapping Wi-Fi networks in The Hague three times.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – Openbaar Ministerie (OM)
Their prosecutor’s office ended up disclosing that they had sold all the accumulated data to their client, but not before collecting payment. This data could then be repurposed for digital espionage and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
COLDRIVER’s practice extends past low-key hacker chic. They entail a complicated web of people willing to actively help plan and carry out cyber espionage.
Malware Families and Attribution
The cybersecurity community has already pointed out that COLDRIVER’s malware families extend beyond ONLY LOSTKEYS and ROBOT. Other lineage families like NOROBOT and MAYBEROBOT have similarly been tied to the group. Indeed, NOROBOT at other times goes by the name of BAITSWITCH, and MAYBEROBOT is sometimes called SIMPLEFIX. Yet only two examples of a malware variant known as YESROBOT have been documented. Both actions happened within a week of each other in late May 2025, just days after news about LOSTKEYS was first published.
The Dutch government has been quite proactive in probing such cyber threats. They have found no evidence that outside pressures, whether in law enforcement or military, have been applied to the COLDRIVER contact suspect.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – The Dutch government body
As investigations continue, cybersecurity officials are still keeping a wary eye on COLDRIVER’s operations. The changing environment of their malware campaigns continues to create ongoing obstacles for law enforcement and cybersecurity professionals as a whole.