Cybersecurity researchers last month exposed the operations of COLDRIVER, a hacking collective with links to the Russian federal government. Their investigation uncovered some truly chilling information about how this group operates. COLDRIVER has become notorious for its selective strikes on prominent figures within non-governmental organizations (NGOs), academic policy advisors, and dissidents. Since May 2025, it’s alleged put into circulation a new class of malware that’s advanced tremendously. This new advance is a stark reminder of the growing sophistication of cyber threats targeting our nation’s most critical sectors.
COLDRIVER has been linked to the deployment of several other malware families. Interestingly, NOROBOT and MAYBEROBOT are monitored by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX, respectively. These new credential-stealing malware variants have rapidly evolved through many stages, improving their capabilities and effectiveness in credential theft. Their latest campaign has deployed a new information-stealing malware called LOSTKEYS, making the digital threat environment even more complex and dangerous.
New Malware Variants and Their Implications
Perhaps the most significant change in COLDRIVER’s tactics is the introduction of the “ROBOT” family of malware. YESROBOT has only been tested in limited scenarios. It did not log a single occurrence during a two-week period in late May. Public ignorance of LOSTKEYS may be the only positive side effect of the creation of YESROBOT. This suggests that COLDRIVER is methodically exploiting information leaks to prepare the ground for increased cyber operations.
Wesley Shields, a cybersecurity analyst, noted that “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” This evolution indicates a deliberate effort by COLDRIVER to adapt its tactics in response to detection and mitigation efforts by cybersecurity professionals.
The recent attacks mark a notable shift from COLDRIVER’s usual modus operandi, leaving it unclear what their future plans and targets will be. Cybersecurity measures are lagging far behind. Those shifts by the group indicate to us that they are actively trying to become more sophisticated in their cyber-espionage efforts.
Investigations and Suspects Involved
Authorities in the Netherlands are currently investigating three 17-year-old suspects. These are people we all think have provided invaluable support to COLDRIVER during the recent surge of malware disclosed. The Public Prosecution Service (OM) confirmed that they arrested two suspects on 22 September 2025. At the same time, a third opponent has recently been released to house arrest. The inquiry has focused on how deep their participation goes with foreign government-linked hacker groups.
According to the OM, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.” And potentially, these suspects were suspected of conducting areas for intelligence. Their decisions would be opening up the potential for increased cyber espionage and attacks against private and public sector entities.
The OM further emphasized that “The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” This solemn reminder emphasizes the dangerous consequences of their actions and serves as a reminder of the constant vigilance we must all maintain against these cowardly threats.
The Broader Context of Cybersecurity Threats
COLDRIVER’s operations are illustrative of a larger trend on the cyber threat landscape. These threats are connected to the increasing emergence of state-sponsored hacking groups. The Dutch government has acknowledged the potential risks associated with these operations, stating that “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”
While such global tensions are unfortunate, so is the need for countries to improve their overall cybersecurity framework. The progression of malware connected with COLDRIVER also underscores an immediate and continuous need for all organizations to take proactive steps to defend against potential intrusions. Second, they need to coordinate internationally to hold cybercriminals accountable.