Summary
Between Jan and Apr 2025, suspected Russian FSB-linked threat group COLDRIVER delivered LOSTKEYS malware using a fake CAPTCHA to target Western officials, journalists, think tanks, and NGOs.
Russian Threat Group COLDRIVER Deploys LOSTKEYS Malware Targeting Western Entities
The Russian state-sponsored threat group, COLDRIVER (aka UNC4057, Callisto, and Star Blizzard), has expanded its cyberespionage toolkit with the additional of a new malware strain dubbed LOSTKEYS. According to Google’s Threat Intelligence Group (GTIG), this development marks a significant evolution from COLDRIVER’s usual credential phishing tactics to more sophisticated malware development.
Evolution of Tactics
Historically, COLDRIVER focused on credential phishing campaigns targeting high-profile individuals in NATO governments, NGOs, and former intelligence and diplomatic officials. The threat group’s primary objective has been intelligence collection in support of Russian strategic interests. More recent activities observed in early-2025 indicate a shift towards deploying more custom malware to further enhance their data exfiltration capabilities.
Introduction of LOSTKEYS
LOSTKEYS was designed to steal files from predefined directories and file types, as well as send system information and running processes back to the threat actors. The malware is delivered through a multi-stage infection chain that begins with a lure website featuring a fake CAPTCHA. Once a target interacts with the CAPTCHA, they’re then prompted to execute a PowerShell script, starting the malware installation process. This method, known as “ClickFix”, involves socially engineering targets to copy, paste, and execute malicious PowerShell commands. The technique has been gaining increased notoriety as various other threat actors have begun leveraging it.
Targets and Objectives
COLDRIVER’s recent campaigns have targeted current and former advisors to Western governments, militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The group’s operations aim to gather intelligence that aligns with Russian strategic interests. In some cases, COLDRIVER has been linked to hack-and-leak campaigns targeting officials in the UK and NGOs.
Analyst Comments:
The evolution of COLDRIVER from basic credential phishing to deploying custom malware like LOSTKEYS emphasizes a broader trend in Russian cyberespionage: the increasing willingness to burn bespoke tools in pursuit of higher value intelligence collection. The shift seems to suggest mounting pressure on Russian intelligence services to deliver actionable insights amid ongoing geopolitical tensions, particularly related to NATO support for Ukraine and Western policy responses.
Through their targeting of advisors, think tanks, and NGOs, COLDRIVER is focusing on influencers and policy shapers, not just government officials. This indicates a strategic effort of preempting or shaping foreign policy decisions. Their adoption of techniques like ClickFix also signals an emphasis on user-driven execution, a smart bypass of traditional email defenses and endpoint controls. As we’ve seen in the past, employees are the weakest link in an organization’s security posture.
For us network defenders, this campaign highlights the importance of defense-in depth strategies, user education (a must), and proactive threat hunting. The fact that COLDRIVER now deploys malware directly onto victim systems raises the stakes for organizations previously focused only on account compromise prevention.
In short, COLDRIVER’s operational pivot is just another reminder that cyberespionage groups adapt faster than most defensive postures. Organizations in policy-adjacent sectors should assume they are in the targeting scope, even if they don’t handle classified information, and adjust security postures accordingly.
Reference(s) and Further Reading:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
The Security Brief 