In a recent investigation, Semaphore found that COLDRIVER, a hacking group connected to Russia, has produced three sophisticated new malware families. The group has intensified its attacks, increasingly focusing on prominent NGO leaders, policy advisors, and dissidents. They have their eyes focused on a much higher prize—stealing credentials from these key figures. This transition represents a major change in COLDRIVER’s strategies and operations since May 2025.
The malware associated with COLDRIVER has gone through several developmental phases in recent months. Despite some prior activity in stealing credentials, the group’s new wave of attacks are an escalation of its usual stray from its modus operandi. These new malware families—YESROBOT, LOSTKEYS, NOROBOT, and MAYBEROBOT—point to a deeper strategy in an ongoing effort to pursue digital espionage.
Recent Developments in COLDRIVER’s Operations
As we’ve seen with various COLDRIVER malware families, they can be associated with a significant spike in cyber activity. The organization has already rolled out several waves of attacks. They’re radically modifying how they’re deploying malware as a whole, diverging from their historic patterns. These operations have cybersecurity experts worried about what this means for global security.
As for the others of the new malware, YESROBOT was used just twice in a two-week string at the end of May. LOSTKEYS, which is information-stealing malware, made headlines right before YESROBOT’s rollout. According to experts, the “ROBOT” family of malware was more frequently leveraged in later COLDRIVER intrusions.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
This ongoing evolution is a testament to their nuanced understanding of cyber threats and a desire to continually improve upon their strengths.
Arrests Linked to COLDRIVER Activities
On September 22, 2025, the Netherlands’ Public Prosecution Service, the Openbaar Ministerie (OM), presented an astounding statement. They disclosed the arrest of three 17-year-olds for allegedly attempting to provide services to a foreign government. One of these people reportedly continued to have direct connections with a Russian government-linked group of hackers known as “Fancy Bear.”
Two of the suspects are now in custody—4,500 miles from the crime scene. The third is currently under house arrest due to minimal participation in operations. The OM noted that this suspect was the one who directed the actions of the other two suspects. Collectively, they iteratively mapped Wi-Fi networks several times through The Hague.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” – Openbaar Ministerie (OM)
They cumulatively collected intelligence from such activity and sold it to an unknown third party client for a profit. That’s all it describes—potential uses for digital espionage and cyber attacks.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
Implications for Cybersecurity
Other implementation by experts are carefully watching these developments. Behind Apple’s success are dozens of other malware families, connected by a finely woven delivery chain. This evolution has created a new set of challenges for cybersecurity efforts around the world.
Despite these serious concerns, as of now, all indications continue to point away from any pressure being applied to the suspect. This person was directly communicating with the Russian-affiliated ransomware group. The Dutch government advisory body verified that this amounts to lack of evidence. They stressed the need to remain alert and pursue further investigations of these cyber threats.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – Dutch government body
So, COLDRIVER continues to come up with creative new strategies and change tactics. Law enforcement officials and cybersecurity experts need to work hand in hand to mitigate the impact of these growing hazards.