A new cyber-espionage campaign by the Russia-aligned threat actor Coldriver has been deploying a previously unknown malware strain dubbed ‘LOSTKEYS,’ according to a report from Google’s Threat Intelligence Group (GTIG).
Coldriver, also tracked as Callisto, Star Blizzard, and UNC4057, is known for credential theft and data exfiltration, often targeting high-profile geopolitical entities. The group's increasing use of custom malware highlights growing sophistication and persistence in its cyber operations.
Active since late 2023 and observed in targeted attacks as recently as April 2025, LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes. Victims include current and former Western government advisors, journalists, NGOs, think tanks, and individuals linked to Ukraine.
“We believe the primary goal of COLDRIVER’s operations is intelligence collection in support of Russia’s strategic interests,” the researchers said. “In a small number of cases, the group has been linked to hack-and-leak campaigns targeting officials in the UK and an NGO.”
GTIG researchers say the attacks begin with a deceptive CAPTCHA-style lure on a fake website, a method similar to the known ClickFix social engineering technique. Victims are tricked into executing a PowerShell command that downloads and launches a multistage payload from a remote server. The final stage executes the LOSTKEYS malware, which is capable of extracting data from specific directories and file types.
While LOSTKEYS has only been selectively deployed, Google also identified older malware artifacts disguised as files related to the Maltego investigation platform. The connection between these early samples and Coldriver remains unclear.
