That’s the finding of a newly released investigation, which has uncovered a second surge of malware primarily associated with the Russia-linked hacking group COLDRIVER. Since May 2025, COLDRIVER has been working on, testing, and improving malware that has escalated the group’s operational tempo dramatically. Importantly, three 17-year-old suspects are thought to have delivered services to a foreign government, possibly linked with COLDRIVER’s actions.
In January, March, and April 2025, under the alias COLDRIVER, hostile nation-state actor deployed an information-stealing malware known as LOSTKEYS. Soon after, the group started using the ROBOT family of malware. The last two years of aggressive, malicious cyber activity has shocked everyone. Today, a great many people are concerned about the group’s emergent capabilities and intentions in cyber espionage.
The Evolution of COLDRIVER’s Malware
COLDRIVER’s implementation has shown an alarming development in their Tactics, Techniques and Procedure (TTP). The collective initially released LOSTKEYS, which operated as an information commandeering tool. After this COLDRIVER stepped up their game even more by using the ROBOT malware family that we’ve seen in other intrusions.
Wesley Shields, a cybersecurity expert, recalled the adaptive qualities of NOROBOT, one of COLDRIVER’s malware families. However, as NOROBOT and its ancestral infection chain continue to be isolated, the organism evolves. Having originally simplified implementation to increase effective deployment, they then withdrew the greater simplicity with the introduction of complexity through key splitting in cryptography keys. However, this adaptability presents significant obstacles to cybersecurity efforts focused on reducing the effects of these types of threats.
Besides NOROBOT, tool COLDRIVER also uses MAYBEROBOT. Both are actively tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively. Their operational tempo has doubled or tripled, a testament to the uptick in malign behaviors and a greater business interest in digital espionage.
Recent Developments and Suspects
The Netherlands’ Public Prosecution Service (Openbaar Ministerie) has just arrested two of the three suspects associated with the COLDRIVER’s operations. This operation is a huge and encouraging step in their investigation. These people were arrested on 09/22/2025. A third suspect is released to house arrest because of his minor participation in the case. Authorities suspect that one of these young men has been in contact with a hacker group affiliated with the Russian government.
According to a representative from the Dutch Intelligence and Security Service, there was any pressure put on the suspect. We’ve been in contact with a hacker group which had connections to the Russian government. This statement points to the alarming, if still ongoing, investigation into ties between these suspects and entities hostile to our national interests.
The OM revealed that another one of the accused sold confidential data to an individual associated with the client and received a bribe for that. All this data might be incredibly useful for digital espionage and cyber attacks. This discovery highlights just how dangerous the threats from COLDRIVER and its co-conspirators are.
Implications for Cybersecurity
The new developments around COLDRIVER and its malware families are alarming in terms of what they suggest about cybersecurity protections worldwide. Organizations need to stay one step ahead and do more than just react to the latest threats.
Cyber attack experts caution that COLDRIVER’s expanded operational tempo is a sign of a new, more aggressive phase in cyber attack. The fact that young suspects are connecting with well-known hacker collectives shows an even more ominous development. Naive amateurs are being abused by professionals who understand how to deceive actors.