That’s the long-term, alarming conclusion of a recent Cybersecurity Workforce Investigation. The Russia-linked hacking group COLDRIVER has been determined as the author of new malware that has been developing since May 2025. The recent explosion in activity more than anything else indicates that the group is intensifying its operational tempo. In response to this disturbing trend, cybersecurity experts and governments alike have begun to notice.
COLDRIVER focuses on high-profile members of NGOs, policy advisors and dissidents. Their primary goal is credential theft. The group’s recent attack waves give us a good look at how much they’ve shifted their typical approach. This could indicate they are changing their approach.
A New Era of Malware
The updated versions of COLDRIVER have produced a significant info-stealing variant, referred to by researchers as LOSTKEYS. From its advanced criminal capabilities, this malware has taken the spotlight. It has further been associated with the deployment of other malware families such as the “ROBOT” family. Zscaler ThreatLabz is currently tracking two major strains in this family: NOROBOT and MAYBEROBOT. As BAITSWITCH and SIMPLEFIX, respectively, they each surveil these threats closely.
This malleability provides a further look into COLDRIVER’s desire to maximize their malware’s efficiency. Only two instances of the newer YESROBOT strain have been noted. All three of these examples happened during the same two-week span in late May 2025. Crucially, information related to LOSTKEYS was made widely known before the launch of YESROBOT, suggesting a strategic intent to their activity.
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.”
Separately, the Netherlands’ Public Prosecution Service made public that three young men are suspected. She continued, “These 17-year-olds reportedly received millions of dollars in taxpayer-funded contracts from a foreign government. As it turns out, one of these suspects is suspected of having been in communication with COLDRIVER. Law enforcement captured two of those suspects on September 22, 2025, while the third is still under house arrest.
Recent Developments in the Netherlands
This collection of Wi-Fi networks risked COLDRIVER espionage activity associated with COLDRIVER’s greater goals. This information could have been sold for profit, enabling potential digital espionage and cyber attacks.
The emergence of new malware families from COLDRIVER represents an evolving threat that necessitates increased vigilance from organizations and individuals alike. It’s more important than ever for cybersecurity professionals to be aware of these changes and proactively prevent sensitive information from falling into the wrong hands.
“This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague.”
The Dutch government research organization probing the suspects has noted that. Finally, they observed that so far there appears to be no indication of any pressure being put on the unnamed person linked to COLDRIVER. A lack of outside force implies that people who engage in cybercrime enjoy a degree of freedom. This further complicates the difficult work of dismantling these networks through legal action.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.”
Implications for Cybersecurity
This interconnectedness creates a challenge for detection and response efforts, as each new strain has the potential to use strategies learned from its precursors.
The Dutch government body investigating the suspects noted that there are currently no indications that any pressure has been exerted on the individual with ties to COLDRIVER. This lack of external coercion may imply a level of autonomy among those engaged in cybercrime, further complicating efforts to dismantle such networks.
Wesley Shields described the interconnected nature of these malware families:
“a collection of related malware families connected via a delivery chain.”
This interconnectedness complicates detection and response efforts, as each new strain can leverage tactics learned from its predecessors.
