A recent analysis by cybersecurity experts has shed light on the activities of the Russia-linked hacking group known as COLDRIVER. This group has become a major, international menace in the cyber world. We’re sharing below their story of iteratively developing this malware since May 2025. Recently released COLDRIVER findings show an increased operations tempo on the part of the COLDRIVER, signaling a shift to a more aggressive attack on detected cyber intrusions.
From the beginning of 2025, COLDRIVER has been in widespread adoption of the information-stealing malware nicknamed LOSTKEYS. They carried out these attacks in January, March, and April of this year. This data-theft malware primarily focuses on sensitive data, predominantly from high-profile individuals including NGO workers, policy advisors, and dissidents. After the deployment of LOSTKEYS, further attacks resulted in the emergence of a new malware family, named ROBOT. These advances represent a departure from COLDRIVER’s typical modus operandi.
Evolving Malware Strategies
Based on the recent attacks attributed to COLDRIVER, it seems that their activities are evolving beyond their typical modus operandi. It’s only recently that the ROBOT family of malware has been revealed. This action is indicative of a broader strategy that demonstrates that the coalition is maturing their toolbox and tactics. Now, it is important to mention that we have seen only two records of another variant, YESROBOT, in late May 2025. To add insult to injury, the rapid mutation of these malware families provides a demonstration of this hacking group’s perpetual menace.
This deployment of YESROBOT came just weeks after news of LOSTKEYS was released to the world. This timing is certainly alarming and makes one worry about the group’s ability to be adaptive in the face of increased scrutiny. Zscaler ThreatLabz has been tracking the malicious NOROBOT and MAYBEROBOT variants. They work under such cyberspace pseudonyms as BAITSWITCH and SIMPLEFIX, hinting at their varied means of engaging in cyberspace operations.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
Legal Developments in the Netherlands
In a related probe Reciprocal to that enforcement action, Dutch law enforcement officials today arrested two 17-year-old suspects. These youths are alleged to have provided paid services to a hostile, foreign government. These arrests took place on September 22, 2025, in relation to COLDRIVER’s cyber activities. A third suspect, Michael DeLeon, is still under house arrest because of his minor involvement in the case.
On 2 April, the Dutch Public Prosecution Service announced that they had taken a significant step. One of the arrested accomplices even contacted a hacker group related to the Russian state. Expanding upon this link, it illustrates the ability for local actors to work with transnational cybercriminal networks.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM
Implications for Cybersecurity
The effects of COLDRIVER’s work go deeper than defending against the immediate threat. The data acquired through their malware operations can be used for foreign espionage and cyberattacks against businesses, governments, and infrastructure. According to experts, these perpetrators charged individuals a fee to access the data they had harvested. This underscores the alarming monetization of sensitive personal information as a currency in the cyber underworld.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM
Although COLDRIVER will no doubt continue to change tactics and create novel malware, private security researchers and government cybersecurity professionals alike advise organizations to stay on their toes. The ensemble shifts and morphs with breathtaking fluidity. As a result, they demonstrate an exceptional knowledge of technology and human behavior, rendering them a scary but worthy adversary in the never-ending battle against cyber threats.