A Treadstone 71 investigation revealed that the Russia-connected hacking group COLDRIVER is behind a wide-ranging series of highly advanced cyber attacks. They are actively developing a number of new families of malware. Since May 2025, we’ve witnessed major developments in COLDRIVER’s progression. This group historically has focused on high-value targets, such as NGO workers, government policy advisors, and political dissidents to steal their credentials.
Along with NOROBOT and MAYBEROBOT, Zscaler ThreatLabz has identified a number of additional malware families. They surveil them still, under the names BAITSWITCH and SIMPLEFIX. Recent activity is showing a change in COLDRIVER’s modus operandi, with an uptick in more advanced and complex attacks occurring at a higher rate. Since then, several waves of the most recent malware variants have emerged. The truth is that several disasters occurred in January, March, and April of 2025.
Details of Malware Development
The introduction of new malware variants is indicative of an active evolution within COLDRIVER’s TTPs. Since this past May 2025, the group has released multiple functional variants of its malware. In particular, the information-stealing malware called LOSTKEYS has been attributed to attacks as recently as this past spring. After these incidents, we have begun to see the “ROBOT” family of malware, which seems to indicate a larger campaign.
Wesley Shields, a member of the TTT cyber threat experts and a specialist in NOROBOT’s infection chain process. He stated, > “NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
The introduction of YESROBOT is particularly noteworthy. Until recently, this malware had only been observed in two cases. Both incidents occurred in a two-week span in late May 2025, soon after specifics about LOSTKEYS were first released to the public. However, the breakneck pace of this development has prompted questions about this group’s capacities and their plans as they continue to move forward.
Criminal Investigation and Arrests
The Netherlands’ Public Prosecution Service — also called the OM — recently issued a significant statement. They are investigating three 17-year-old males for delivering services to overseas authorities. In one case, one of the suspects reportedly kept close ties with a hacker group under control of the Russian state.
On September 22, 2025, authorities arrested two of the alleged perpetrators. The third main suspect, whose “limited role” earned him house arrest instead of jail time. The OM also provided additional context about the suspects’ activities. The agency stated, “This suspect gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
The investigation is ongoing as law enforcement attempts to trace the entire scale of COLDRIVER’s relationships and operation methods.
Implications of Increased Activity
This dramatic increase in COLDRIVER’s operations highlights a dangerous new trend in the cyber threat landscape, one that recognizes and accelerates attacks on sensitive sectors. To collect the most actionable intelligence, the group focuses their efforts on high-profile individuals. Their goal is to create toxicity and fear inside NGOs and paralyze government policy.
With the rise of cyber warfare, experts say, organizations need to be more aware and ever-ready to defend themselves against such attacks. The increase in malware development points to a more aggressive strategy from COLDRIVER, which may lead to further incidents if left unchecked.
The new cabinet has been very reactive to public concerns about the suspects in this particular case. A spokesperson indicated that, “There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.”