{"id":1632,"date":"2025-05-08T10:08:45","date_gmt":"2025-05-08T10:08:45","guid":{"rendered":"https:\/\/www.tsfactory.com\/forums\/?p=1632"},"modified":"2025-05-08T10:08:45","modified_gmt":"2025-05-08T10:08:45","slug":"russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware","status":"publish","type":"post","link":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/","title":{"rendered":"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware"},"content":{"rendered":"

The Russia-linked threat actor known as\u00a0COLDRIVER\u00a0<\/b>has been observed distributing a new malware called\u00a0LOSTKEYS\u00a0<\/b>as part of an espionage-focused campaign using ClickFix-like social engineering lures.<\/p>\n

“LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG)\u00a0said<\/a>.<\/p>\n

The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out.<\/p>\n

LOSTKEYS is the second custom malware attributed to COLDRIVER after\u00a0SPICA<\/a>, marking a continued departure from the\u00a0credential phishing campaigns<\/a>\u00a0the threat actor has been known for. The hacking group is also tracked under the names Callisto, Star Blizzard, and UNC4057.<\/p>\n

“They are known for stealing credentials and after gaining access to a target’s account they exfiltrate emails and steal contact lists from the compromised account,” security researcher Wesley Shields said. “In select cases, COLDRIVER also delivers malware to target devices and may attempt to access files on the system.”<\/p>\n

The latest set of attacks commences with a decoy website containing a fake CAPTCHA verification prompt, where victims are instructed to open the Windows Run dialog and paste a PowerShell command copied to the clipboard, a widely popular social engineering technique dubbed\u00a0ClickFix<\/a>.<\/p>\n

The PowerShell command is designed to download and execute the next payload from a remote server (“165.227.148[.]68”), which acts as a downloader for a third-stage but not before performing checks in a likely effort to evade execution in virtual machines.<\/p>\n

Read the Full Story Here<\/a><\/p>\n

Source: The Hacker News<\/p>\n","protected":false},"excerpt":{"rendered":"

The Russia-linked threat actor known as\u00a0COLDRIVER\u00a0has been observed distributing a new malware called\u00a0LOSTKEYS\u00a0as part of an espionage-focused campaign using ClickFix-like social engineering lures. “LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG)\u00a0said. The […]<\/p>\n","protected":false},"author":2,"featured_media":952,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"yoast_head":"\nRussian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community\" \/>\n<meta property=\"og:description\" content=\"The Russia-linked threat actor known as\u00a0COLDRIVER\u00a0has been observed distributing a new malware called\u00a0LOSTKEYS\u00a0as part of an espionage-focused campaign using ClickFix-like social engineering lures. “LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG)\u00a0said. The […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Community\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/TSFactoryLLC\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-08T10:08:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chelsie Wyatt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:site\" content=\"@TSFactoryLLC\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chelsie Wyatt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/\",\"name\":\"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community\",\"isPartOf\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg\",\"datePublished\":\"2025-05-08T10:08:45+00:00\",\"author\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg\",\"contentUrl\":\"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg\",\"width\":1280,\"height\":853},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.tsfactory.com\/forums\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#website\",\"url\":\"https:\/\/www.tsfactory.com\/forums\/\",\"name\":\"Community\",\"description\":\"TSFactory\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f\",\"name\":\"Chelsie Wyatt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g\",\"caption\":\"Chelsie Wyatt\"},\"url\":\"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/","og_locale":"en_US","og_type":"article","og_title":"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community","og_description":"The Russia-linked threat actor known as\u00a0COLDRIVER\u00a0has been observed distributing a new malware called\u00a0LOSTKEYS\u00a0as part of an espionage-focused campaign using ClickFix-like social engineering lures. “LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker,” the Google Threat Intelligence Group (GTIG)\u00a0said. The […]","og_url":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/","og_site_name":"Community","article_publisher":"https:\/\/www.facebook.com\/TSFactoryLLC\/","article_published_time":"2025-05-08T10:08:45+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg","type":"image\/jpeg"}],"author":"Chelsie Wyatt","twitter_card":"summary_large_image","twitter_creator":"@TSFactoryLLC","twitter_site":"@TSFactoryLLC","twitter_misc":{"Written by":"Chelsie Wyatt","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/","url":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/","name":"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware - Community","isPartOf":{"@id":"https:\/\/www.tsfactory.com\/forums\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg","datePublished":"2025-05-08T10:08:45+00:00","author":{"@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f"},"breadcrumb":{"@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#primaryimage","url":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg","contentUrl":"https:\/\/www.tsfactory.com\/forums\/wp-content\/uploads\/2023\/01\/pexels-cottonbro-studio-5483149.jpg","width":1280,"height":853},{"@type":"BreadcrumbList","@id":"https:\/\/www.tsfactory.com\/forums\/blog\/russian-hackers-using-clickfix-fake-captcha-to-deploy-new-lostkeys-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.tsfactory.com\/forums\/"},{"@type":"ListItem","position":2,"name":"Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.tsfactory.com\/forums\/#website","url":"https:\/\/www.tsfactory.com\/forums\/","name":"Community","description":"TSFactory","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.tsfactory.com\/forums\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/9d9908f0e12559297335ebe9b601c82f","name":"Chelsie Wyatt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.tsfactory.com\/forums\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/09ff3801fb7566acf715fe4e81a9bd942b923c236138a3ed8a8375f099e5d6d6?s=96&d=mm&r=g","caption":"Chelsie Wyatt"},"url":"https:\/\/www.tsfactory.com\/forums\/blog\/author\/chelsie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/comments?post=1632"}],"version-history":[{"count":1,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1632\/revisions"}],"predecessor-version":[{"id":1633,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/posts\/1632\/revisions\/1633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media\/952"}],"wp:attachment":[{"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/media?parent=1632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/categories?post=1632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tsfactory.com\/forums\/wp-json\/wp\/v2\/tags?post=1632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}