COLDRIVER using new malware to steal from Western targets — Google

A growing threat group, backed by Russia, is utilizing a sophisticated new malware campaign to infiltrate high-profile Western targets, according to a recent report from Google Threat Intelligence. The malicious software, dubbed LOSTKEYS, represents a significant escalation in the tactics employed by COLDRIVER, a threat actor known for its credential phishing attempts and recent use of arbitrary shell commands.

LOSTKEYS is a malware designed to steal files from hard-coded extensions and directories, marking a notable shift in the group's approach from traditional phishing tactics. The malicious software can be installed through a multi-step process, which involves exploiting vulnerabilities in user behavior, such as visiting a fake CAPTCHA website, downloading a PowerShell script to the clipboard, evading device detection, and ultimately retrieving the final payload.

Google Threat Intelligence has identified the malicious domain associated with LOSTKEYS as "165.227.148[.]68". The company has taken proactive steps to mitigate any potential damage caused by this malware, including adding the malicious website to its "Safe Browsing" feature.

The Evolution of COLDRIVER's Tactics

COLDRIVER's use of LOSTKEYS represents a significant evolution in their tactics, showcasing the group's increasing sophistication and adaptability. The threat actor has previously been linked to high-profile phishing attempts against Western targets, including former diplomats and journalists.

A Growing Trend in Crypto Hacking

The rise of COLDRIVER's LOSTKEYS campaign is not an isolated incident in the world of crypto hacking. According to a recent report by crypto cybersecurity firm Hacken, operational flaws and weak access controls remain significant vulnerabilities, even among major centralized and decentralized players.

Attackers are increasingly relying on social engineering tactics to gain victims' trust, contributing to the alarming trend of skyrocketing losses in the crypto space. The $1.5 billion hack of cryptocurrency exchange Bybit, reportedly orchestrated by the Lazarus Group, is just one example of this growing threat landscape.

A Call to Action for Industry Players

As the threat landscape continues to evolve, industry players must prioritize security awareness and invest in robust defenses against emerging threats like LOSTKEYS. By staying vigilant and proactive, organizations can minimize their exposure to these types of attacks and protect their valuable assets.

Related Stories:

  • Crypto drainers now sold as easy-to-use malware at IT industry fairs
  • Crypto hack losses hit all-time high in 2025
  • Lazarus Group’s favorite exploit revealed — Crypto hacks analysis

This article is for informational purposes only and should not be considered as investment advice. If you have any concerns about your digital security, please reach out to a qualified professional or organization.