The pro-Kremlin hacking group COLDRIVER, known for highly sophisticated cyber warfare, has recently earned a bad reputation. This includes targeting important civil society leaders in NGOs, risks that activist policy advisors and dissidents face. This group works seemingly day and night creating new malware families like NOROBOT and MAYBEROBOT. Since Spring of 2025, these families have experienced several drafts. Discoveries after a recent wave of LawCOLDRIVER attacks have revealed a new information-stealing malware LOSEKEYS. Unfortunately, this requirement opened the floodgates for creative bad actors to create the ground-breaking “ROBOT” family of malware.
COLDRIVER’s action has been subjected to a withering, often absurd level of scrutiny. This increased focus comes on the heels of Openbaar Ministerie (OM) announcing suspicions against three 17-year-old men for offering services to foreign parties, possibly including ties to COLDRIVER. This critical news brings much-needed attention to the ever-present threat posed by cyber aggression out of the Kremlin and their impact on global security.
COLDRIVER’s Modus Operandi
COLDRIVER broadly uses a credential theft oriented strategy against targets linked to prominent organizations or governments. By penetrating these networks, they not only obtain sensitive information that can be used for a smorgasbord of interests, including international espionage. These advancements mark a new phase for the COLDRIVER threat actor, with the most recent malware families they’ve created—BAITSWITCH and SIMPLEFIX—standing as testaments to this significant change.
Wesley Shields, cybersecurity expert at NOROBOT and graduate of Code for America’s Fellowship Program, highlighted how NOROBOT is ever-changing and noted,
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
This flexibility is what makes COLDRIVER so lethal and ultimately enables them to run an effective and deadly operations against targeted individuals.
Recent Malware Developments
The recent activity of COLDRIVER, out to deny increased US operational tempo. In addition, the deployment of LOSTKEYS changed their strategy. This introduction in turn allowed the development of the “ROBOT” malware family. And YESROBOT is returning to this new NO family. It has only been seen twice thus far over a two-week deployment period in late May.
The circumstances leading to LOSTKEYS first came to light just before YESROBOT was launched, indicating a deliberate attempt to improve cyber operations. The increasingly sophisticated malware advancement used to show COLDRIVER’s dedication to the continued improvement of their tools against the changing climate of international cybersecurity threats.
Arrests Linked to COLDRIVER Activities
It came to a boiling point when the OM declared the arrest of two suspects on September 22nd, 2025. The third suspect has been put under house arrest, given the “minor role” he played in the case. Today’s operation is the culmination of this wider investigation coordinated by the Netherlands’ Public Prosecution Service.
These attorneys reportedly provided all of the collected data to foreign clients, such as lobbying firms, for a profit. This action should set off alarm bells across the country over ongoing digital espionage and future cyberattacks.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
These developments highlight not only the activities of COLDRIVER but the ongoing challenge of countering cyber threats that operate across international borders.
The Dutch government body stated:
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
These developments highlight not only the activities of COLDRIVER but also the ongoing challenge of countering cyber threats that operate across international borders.