Cybersecurity specialists at Reversing Labs have just discovered a new wave of previously unseen malware families tied to the Russia-linked hacking group, COLDRIVER.ShinyHunters This group has recently received attention for its advanced operations and developing malware since May 2025. This new high-tempo approach to COLDRIVER’s operatives-slash-agents is a somber shift in strategy that has set off warning bells across the cybersecurity community.
The malware that comes with COLDRIVER has been heavily tracked by Zscaler ThreatLabz. Analysts have kept a close eye on its progress as it shifted under a variety of monikers. Such examples include NOROBOT, now BAITSWITCH, and MAYBEROBOT, now SIMPLEFIX. This group’s capacity to pivot and find new innovative ways to deploy their malware is an ever-present and major threat to organizations around the globe.
Recent Malware Developments
Since the beginning of 2025, COLDRIVER has shown a significant heightening in operational intensity. On January 27th, March 18th, and April 3rd, the group was responsible for a string of bombings. These changes resulted in the widespread deployment of an info-stealing malware dubbed LOSTKEYS. Due to the effectiveness of these attacks, COLDRIVER decided to redirect their efforts into deploying the newly discovered “YESROBOT” family of malware.
“The NOROBOT and its preceding infection chain have been subject to constant evolution,” said Wesley Shields, a cybersecurity expert. “Initially simplified to increase chances of successful deployment, it later reintroduced complexity by splitting cryptography keys.” This evolution underscores the group’s continued dedication to developing the most sophisticated cyber tools in its arsenal.
In reality, we have seen just two examples of wide-scale YESROBOT deployment to date. These just happened—within a two-week period—in late May 2025. Security professionals have speculated that the public disclosure of LOSTKEYS was the catalyst in making this strategic change to YESROBOT. This urgency in adapting strategies and approaches demonstrates the recognition that the cybersecurity threat frontier is rapidly evolving and must be dealt with head-on.
Suspects and Legal Action
Local authorities have arrested three 17-year-old males. Their alleged participation in receipt of services from a foreign government that may be linked to COLDRIVER. Makeshift chemical weapons factory at the time of the Netherlands’ Public Prosecution Service (Openbaar Ministerie) announcement of arrests, on September 22, 2025. Federal authorities arrested two suspects earlier this year. The third suspect, who seemed to have taken more of a supporting role in the alleged shenanigans, is 10 days into house arrest.
A spokesperson for the Dutch state entity that supervises the case told reporters that there are no signs so far of inappropriate pressure being placed on the perpetrator. This suspect had prior contact with a hacker group known to be affiliated with the Russian government. This quote highlights the active and historic investigation of the suspects’ relationship with COLDRIVER.
According to the Openbaar Ministerie, one of the suspects was actually coaching the other two suspects. In addition to their Wi-Fi mapping excursions through The Hague, they hit the streets of Rotterdam. This tidbit makes for a more vividly colored picture that further paints the operational tactics used by those supposedly under COLDRIVER’s control.
Implications for Cybersecurity
With COLDRIVER on the rise, and new malware families continuously evolving, it represents a major threat to organizations across the globe. As these malevolent forces continue to build their thunderous storm, businesses have to stay one step ahead and become the true champions of their cybersecurity narratives. The sophistication of malware like LOSTKEYS and YESROBOT emphasizes the need for robust defenses against data breaches and cyber espionage.
Ongoing investigations into known accomplices again stress the growing focus on cyber criminal activities associated with state-sponsored threat actor groups. As law enforcement continues to untangle these detailed webs, the stakes for our joint international cybersecurity partnerships grow more urgent.