Analysis from a recent investigation in collaboration with Mandiant has identified three new malware families associated with the Russian hacking group COLDRIVER. That makes this group linked to the most costly cyberattack campaign in history. Given that their operational activity has more than doubled since May 2025, i.e. The malware, which has taken countless developmental forms, points to the scary evolution of tactics on the part of this group.
These attacks have especially focused on high-value targets, including foreign NGO representatives, policy advisors, and domestic political dissidents. The new wave of attacks represents a stark deviation from COLDRIVER’s established MO. As federal and state officials try to figure out what all this means, authorities are watching this unfolding situation closely.
Background on COLDRIVER
With its distinct modus operandi—specifically, its emphasis on credential theft from powerful individuals—COLDRIVER has proven itself as a potent cyber threat. Cybersecurity experts are on high alert in response to the group’s malicious antics. For one, they note that the recent surge in operations is a sign of a more aggressive approach.
On Tuesday, the Dutch government revealed one such example. In their investigation, law enforcement found that a 17-year-old suspect in the COLDRIVER case had contact with a hacker group linked to COLDRIVER. So far the Openbaar Ministerie (OM) has been confirming all that taken action. They released an announcement that three teens were charged in delivering services to a foreign government, allegedly part of COLDRIVER’s operations.
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government,” – the Dutch government body
Learn more about the case authorities arrested two suspected gunmen on Sept. R. The third suspect sits under house arrest due to the minor nature of his involvement in the drug trafficking scheme. OM is still pursuing the suspects. They are keen to find out how much they are involved in and what they have most relevance to COLDRIVER’s cyber campaigns.
Evolving Malware Tactics
According to Zscaler ThreatLabz, the malware associated with COLDRIVER has been under their watch. They’ve named it in a variety of ways, like BAITSWITCH for NOROBOT and SIMPLEFIX for MAYBEROBOT. LOSTKEYS, an information-stealing malware, was used in at least seven waves between January and February of 2025.
In late May 2025, COLDRIVER deployed YESROBOT, a new variant that emerged soon after news about LOSTKEYS had been made public. So far, there have been only two known deployments of YESROBOT, emphasizing the group’s highly targeted use of this malware.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys,” – Wesley Shields
Wesley Shields further described these malware families as “a collection of related malware families connected via a delivery chain.” COLDRIVER is upgrading its current malware. They are creating a more complete, interconnected system to enhance walkability, livability and quality of life. They’re enhancing their operational capabilities.
Implications for Cybersecurity
The impacts of COLDRIVER’s recent campaign are severe and should be of concern to cybersecurity practitioners and government agencies across the board. The bubble has now burst, and the group is entering a new, more complex—and arguably more aggressive—operational phase. This change dramatically increases the risks for targeted people and groups.
The OM has noticed that one of the suspects has a history of mapping Wi-Fi networks. This happened in a few different ways during our time in The Hague. This data was then monetized and used to facilitate digital surveillance and cyber warfare.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – Openbaar Ministerie (OM)
As this case develops, it serves as a reminder of the always-evolving nature of cyber threats. Coalitions such as COLDRIVER still underscore a deadly threat to our national security. Authorities remain vigilant in their efforts to combat these threats and protect potential targets from becoming victims of sophisticated cyber operations.