Russian state-linked Coldriver spies add new malware to operation

Researchers at Google have discovered a new malware, dubbed Lostkeys, which they say is being used by a Russian government-backed hacking group Coldriver in an espionage campaign. 

The malware, observed in attacks as recently as April, appears to be a recent addition to the toolset of Coldriver, which traditionally relies on phishing to spy on high-profile individuals. Past targets for the group — also known as Star Blizzard, UNC4057 and Callisto — include diplomats, military advisers, journalists, advocates and think tanks associated with NATO countries.

Lostkeys is capable of stealing files from a list of extensions and directories, along with sending system information to the attacker, Google’s Threat Analysis Group said. 

The malware is delivered through a lure website that mimics a CAPTCHA verification page. Once the victim “completes” the fake CAPTCHA, a malicious version of the otherwise legitimate PowerShell code is copied to their clipboard and they are instructed to run it — a tactic aimed at bypassing traditional email-based defenses.

Coldriver’s activity was first discovered by Google in 2022. The group is believed to be operating for Russia’s intelligence services.

Coldriver typically steals credentials to access and exfiltrate emails and contacts from its targets. However, the group also previously used malware such as Spica to target specific individuals when aiming to access documents on a compromised system. Lostkeys, designed to achieve similar objectives, is deployed only in highly selective cases, researchers said. 

In previous campaigns, Coldriver targeted human rights organizations, independent media and civil society members from Eastern Europe and the U.S.