Cybersecurity researchers discovered three new malware families tied to COLDRIVER, a hacking group with ties to the country’s Russia. Since May 2025, COLDRIVER has undergone numerous developmental iterations, evolving its tactics and tools in response to changing cybersecurity landscapes. This group usually focuses on high profile leaders at non-governmental organizations (NGOs), policy advisory bodies and dissidents in order to steal their sensitive credentials.
According to a recent report, COLDRIVER has accelerated its operations significantly. A pattern emerged with attacks in January, March and April 2025. These attacks prompted the release of a new info-stealer malware named LOSTKEYS. New malware variants Markedly, the most recent COLDRIVER malware variants have markedly departed from typical COLDRIVER operational norms. This clarification is significant, as it exposes a conspicuous strategic pivot within the coalition.
Evolution of COLDRIVER Malware Families
With an impressive malware arsenal, COLDRIVER uses the NOROBOT and MAYBEROBOT families. Zscaler ThreatLabz tracks these threats, respectively, under the names BAITSWITCH and SIMPLEFIX. According to specialists, NOROBOT and its epidemic precursor have undergone an endless process of adaptation.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
This new development is indicative of COLDRIVER’s adaptability and thorough technical approach to cyber threats. Another major advancement from that group has been new techniques to generate the “ROBOT” family of advanced malware. This new family includes techniques tailored to help avoid detection and maximize efficiency.
Fast forward to late May 2025, when cybersecurity researchers reported the deployment of a new YESROBOT variant. It has been used very sparingly — only documented twice in a single two-week period. This begs the question of what the strategic objective is for its limited roll out.
Arrests and Legal Developments in the Netherlands
In a parallel criminal investigation, the Netherlands’ Public Prosecution Service announced that they have charged three 17-year-old men with providing services to a hostile foreign government. One of these people reportedly reached out to the Kremlin-affiliated hacker collective. This deep connection between them raises obvious red flags about their actions.
On September 22, 2025, Openbaar Ministerie (OM) authorities arrested two suspects and put a third under house arrest. Enforcement agents are determining their activities and possible links to COLDRIVER’s operations.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body.
One suspect frequently directed the others to survey Wi-Fi networks in The Hague. This behavior points to a deliberate strategy to build intelligence for use in cyber operations.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague,” – OM.
Implications and Future Outlook
The growing pace of COLDRIVER’s operations has generated profound alarm in international cybersecurity communities. Newer, more dangerous malware variants like LOSTKEYS and ROBOT family malware are a real and immediate threat. They can facilitate more difficult and precision cyber attacks against high-profile or sensitive targets.
Through their attacks, cyber attackers can amass valuable data. This information drives state-sponsored digital espionage and exacerbates the security threats to sensitive organizations and individuals.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM.
Cybersecurity researchers should continue to watch COLDRIVER’s actions. Agencies need to arm themselves with better defenses against the new havoc this ever-changing cyber-criminal workforce can wreak.