Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

May 12, 2025, 8:16 a.m.

Description

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO governments, NGOs, and former intelligence officers. The malware exfiltrates specific files, harvests system information, and targets individuals linked to Ukraine or Western governments. COLDRIVER's primary goal appears to be intelligence collection aligned with Russia's interests. The infection chain involves a complex multi-stage process, beginning with a fake CAPTCHA and employing various evasion tactics. Google has implemented countermeasures and recommends enhanced security measures for users.

External References

https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp
https://otx.alienvault.com/pulse/681efa85136c18a881af2661
Tags
powershell
ukraine
captcha
nato
multi-stage infection
ngo
lostkeys
2025-05-10
intelligence collection
russian hackers
western governments

Date

  • Created: May 10, 2025, 7:04 a.m.
  • Published: May 10, 2025, 7:04 a.m.
  • Modified: May 12, 2025, 8:16 a.m.

Attack Patterns

  • LOSTKEYS
  • COLDRIVER

Additional Informations

  • Defense
  • Government
  • United Kingdom of Great Britain and Northern Ireland
  • Ukraine
  • Russian Federation