Pierluigi Paganini
May 09, 2025
Google’s Threat Intelligence Group discovered LOSTKEYS, a new malware used by Russia-linked APT COLDRIVER, in recent attacks to steal files and gather system info. The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.
In the past, the group’s activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
COLDRIVER targets high-profile individuals and NGOs to steal credentials, emails, and contacts. They may also deploy malware for file access. Recent victims include Western advisors, journalists, and Ukraine-linked individuals. Their main goal is intelligence gathering for Russian interests, with occasional hack-and-leak operations.
According to Google GTIG, the APT group used LostKeys malware in selective ClickFix attacks starting in January, where victims were tricked into running malicious PowerShell scripts that led to data theft via VBS payloads.
LOSTKEYS is deployed via a multi-step chain starting with a fake CAPTCHA that tricks users into running PowerShell. This “ClickFix” method, used by COLDRIVER and others, fetches staged payloads from remote servers.
The second stage checks the device’s display resolution MD5 hash. If it matches specific values, execution stops, otherwise, the malicious code retrieves the third stage, which uses unique identifiers for each request.
The third stage decodes a Base64 blob to PowerShell, which retrieves and decodes the final payload. It pulls two files: a VBS decoder and a second encoded file, using unique keys for each infection chain.
“The end result of this is a VBS that we call LOSTKEYS. It is a piece of malware that is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker.” concludes the report. “The typical behavior of COLDRIVER is to steal credentials and then use them to steal emails and contacts from the target, but as we have previously documented they will also deploy malware called SPICA to select targets if they want to access documents on the target system. LOSTKEYS is designed to achieve a similar goal and is only deployed in highly selective cases.”
Google experts found two additional samples dating back to December 2023. These Portable Executable (PE) files, pretending to be Maltego software, execute LOSTKEYS but follow a different execution chain.
“It is currently unclear if these samples from December 2023 are related to COLDRIVER, or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LostKeyster)
