The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures.
“LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG) said.
The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out.
LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA, marking a continued departure from the credential phishing campaigns the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057.
“They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account,” security researcher Wesley Shields said. “In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system.”
The latest set of attacks commences with a decoy website containing a fake CAPTCHA verification prompt, where victims are instructed to open the Windows Run dialog and paste a PowerShell command copied to the clipboard, a widely popular social engineering technique dubbed ClickFix.
The PowerShell command is designed to download and execute the next payload from a remote server (“165.227.148[.]68”), which acts as a downloader for a third-stage but not before performing checks in a likely effort to evade execution in virtual machines.
Source: The Hacker News