Russian Collective Unveils LOSTKEYS Malware in Cyber Offensive – Infosecurity Magazine

A new malware threat named LOSTKEYS has been identified by Google’s Threat Intelligence Group (GTIG) as part of a series of cyber-attacks linked to COLDRIVER, a group associated with the Russian government. The malware is capable of stealing files and system data and was observed in various attacks during January, March, and April 2025, indicating a significant evolution in COLDRIVER’s capabilities.

COLDRIVER, previously noted for its credential phishing attacks focusing on Western diplomats, NGOs, and intelligence personnel, has escalated its tactics by deploying advanced malware designed to directly compromise victim devices. Darren Siegel, lead sales engineer at Outpost24, highlighted the ongoing risks associated with credential theft, emphasizing that even the strongest passwords are vulnerable to such sophisticated malware.

LOSTKEYS employs a complex, three-stage infection chain. The first stage involves a fake CAPTCHA on a lure website, which tricks users into executing a PowerShell script. The second stage is tailored to evade detection by virtual machines by checking the MD5 hash of the screen resolution. The final stage downloads and decodes the payload using a two-key substitution cipher coupled with a Visual Basic Script decoder. Each infection chain is uniquely customized, utilizing distinct identifiers and encryption keys, underscoring the group’s tailored approach to targeting.

Beyond credential theft, the deployment of malware like LOSTKEYS is believed to be reserved for high-value targets, reinforcing the notion that intelligence gathering and cyber warfare are prevalent at the nation-state level. Investigators have also discovered earlier versions of LOSTKEYS dating back to December 2023, which utilized a different infection method under the guise of software related to Maltego.

To mitigate risks, GTIG recommends that potentially affected users enroll in Google’s Advanced Protection Program and activate Enhanced Safe Browsing in Chrome. All identified malicious websites and files associated with LOSTKEYS have been incorporated into Google’s Safe Browsing service, with alerts issued to impacted Gmail and Workspace users. GTIG is committed to sharing findings with the security community to enhance awareness and strengthen protections for organizations and individuals potentially targeted by these cyber activities.