Something big just happened on the cybersecurity front. The Russian-linked hacking group COLDRIVER now claims association with a newly discovered variety of malware families having developed since May 2025. The organization has recently earned infamy for its focus on high-profile targets. Their stated goal is to steal credentials from individuals within non-governmental organizations (NGOs), policy advisors, and dissidents. Recent research by Zscaler ThreatLabz has shown just how dangerous COLDRIVER’s malware can be. This malware, tracked under different names including NOROBOT and MAYBEROBOT, has allowed the subsequent deployment of information-stealing malware known as LOSTKEYS.
As COLDRIVER deployment operations expanded, alarms were raised by many cybersecurity experts. Specifically, these newest attack waves blamed on the group are a significant escalation and move away from its signature modus operandi. This strategic redirection has led to the birth of the “ROBOT” family of malware. By the time we got to see real-world YESROBOT deployment, it had only been a few weeks since the public announcement of LOSTKEYS specifics.
COLDRIVER’s Modus Operandi
Now, COLDRIVER usually uses very detailed techniques to gain access to their targets’ digital worlds. The group’s main goal of targeting high-profile individuals opens the door for credential theft, allowing them to collect sensitive information to use specifically for espionage. The most recent releases of their malware seem consistent with these trends, showing a clear uptick in operational tempo, a sign of a more aggressive approach.
According to Wesley Shields, a cybersecurity analyst, “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This flexibility makes COLDRIVER more effective in carrying out cyberattacks.
COLDRIVER’s strikes became public for the first time in January 2025. After that, similar shootings in March and April of the same year. Their unending development of their malware demonstrates their determination to always be one step ahead of detection and prevention technology.
Recent Developments and Arrests
During a recent enforcement operation, Dutch law enforcement arrested two out of three suspects known to have been operating COLDRIVER. These suspects, all of whom are 17 years old, are suspected of rendering services to a foreign state, and as such have reportedly assisted in foreign cyber espionage operations. One of the individuals was reported to have been in contact with a hacker group associated with the Russian government.
The Netherlands’ Public Prosecution Service, or in Dutch the Openbaar Ministerie (OM), revealed the arrests on September 22nd, 2025. The third suspect has been granted house arrest because of his “minor role” in the case. The OM noted, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
While these arrests have been made, there are still concerns that the suspect has links to a foreign, larger conspiracy. A statement from the Dutch government body confirmed, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
Implications for Cybersecurity
The implications of COLDRIVER’s actions are profound. The suspects have even allegedly sold the gathered data for a price. Either way, this data would make perfect fodder for digital espionage and cyberattacks. The OM stated, “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Cybersecurity professionals are constantly studying the rapidly evolving threat landscape, but malware-creating actors such as COLDRIVER are one step ahead. Their results serve as a reminder that continual vigilance is essential. The recent developments serve as a strong reminder that we need stronger lines of defense to protect ourselves from evolving and more sophisticated cyber threats.