Cybersecurity analysts have dropped a new report. It shows day-to-day life on operation COLDRIVER, a hacking group operated by virtue of the Russian government. A new malware dubbed YESROBOT recently appeared, and the group is responsible for its creation. Since its launching in May 2025, YESROBOT has shown an increased operational tempo. The Public Prosecution Service (OM) of the Netherlands is still investigating. The DOJ has revealed that they have clues on at least three suspects who allegedly provided organizational services to a foreign government.
During this two-week span in late May 2025 the malware YESROBOT was released. This occurred only weeks after public disclosure of a different malware, LOSTKEYS. This timing begs a question about a potential connection between the two malware families. It indicates that COLDRIVER is intensifying its cyber campaigns.
Recent Developments in Malware Evolution
COLDRIVER’s malware since May 2025 has witnessed dramatic changes, suggesting that they have greatly escalated their operational tempo. Our colleagues at Malwarebytes Labs, Cybereason, Fortinet, and others have tracked the progression of this malware family. It features YESROBOT, but its negations, such as NOROBOT and MAYBEROBOT.
NOROBOT and MAYBEROBOT would later come to be tracked by Zscaler ThreatLabz as BAITSWITCH and SIMPLEFIX respectively. Wesley Shields, a cybersecurity expert, further explained how far these malware families have progressed, explaining
“NOROBOT and its preceding infection chain have been subject to constant evolution — initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys.” – Wesley Shields
First, COLDRIVER is going to start taking these tactics in a new direction. These changes in the malware’s layout illustrate its adaptability to effectively penetrate environments of interest.
Investigations and Suspects
The OM has been hard at work investigating COLDRIVER’s activities, including deploying information-stealing malware like LOSTKEYS. FBI and BCI agents in the course of their investigations arrested two suspects on September 22, 2025. A third suspect is under house arrest for his minor role in the case.
The OM has claimed that these people provided sensitive goods and services to a foreign government. One of the suspects is said to have direct ties with a government-sponsored hacker group known as Fancy Bear. The Dutch government body indicated that,
“There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government.” – The Dutch government body
This short, but powerful, statement illustrates the moral and practical dilemmas within international cyber operations and the difficulties law enforcement encounters due to such complexities.
Implications for Cybersecurity
The development of YESROBOT and its predecessors is just the latest sign of an increasingly complex and dangerous threat landscape for any organization that values its digital security. COLDRIVER’s malware harvests any valuable information for profit. This practice fuels more digital espionage and cyber attacks.
It highlights the severe damages that businesses are increasingly vulnerable to due to ever-evolving cyber threats and the importance of strong cybersecurity practices.
“The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks.” – OM (Openbaar Ministerie)
This underscores the potential risks businesses face from evolving cyber threats and emphasizes the need for robust cybersecurity measures.