Russia-Linked ColdRiver Uses LostKeys Malware in Recent Attacks
Since early 2025, Russia-linked ColdRiver has been using a new malware called LostKeys to steal files in espionage attacks on Western governments and organizations. The discovery of this malicious software was made by Google's Threat Intelligence Group, which uncovered the threat actor's tactics, techniques, and procedures (TTPs) in recent campaigns.
The ColdRiver APT: A Long-Standing Russian Cyberespionage Group
ColdRiver is a well-established Advanced Persistent Threat (APT) group linked to Russia. The group has been actively targeting government officials, military personnel, journalists, and think tanks since at least 2015. In the past, ColdRiver's activity involved persistent phishing and credential theft campaigns leading to intrusions and data theft.
The Primary Targets of ColdRiver
ColdRiver primarily targets NATO countries, with notable campaigns also observed in the Baltics, Nordics, and Eastern Europe regions, including Ukraine. The group focuses on high-profile individuals and non-governmental organizations (NGOs) to steal credentials, emails, and contacts. In some cases, ColdRiver deploys malware for file access.
Recent Attacks: ClickFix Methodology
Recent victims of ColdRiver's attacks include Western advisors, journalists, and Ukraine-linked individuals. The group has been using a new method called ClickFix in its recent campaigns, starting in January 2025. This technique involves tricking users into running malicious PowerShell scripts that lead to data theft via VBS payloads.
The LostKeys Malware
LostKeys is the malware used by ColdRiver in these recent attacks. It is deployed via a multi-step chain starting with a fake CAPTCHA that tricks users into running PowerShell. The malware then fetches staged payloads from remote servers, checks the device's display resolution MD5 hash to determine whether to execute or stop execution.
The LOSTKEYS Malware: A VBS-Based File Stealer
"The end result of this is a VBS that we call LOSTKEYS," concludes the report. "It is a piece of malware that is capable of stealing files from a hard-coded list of extensions and directories, along with sending system information and running processes to the attacker." The typical behavior of ColdRiver is to steal credentials and then use them to steal emails and contacts from the target.
Additional Samples of LostKeys
"LOSTKEYS is designed to achieve a similar goal and is only deployed in highly selective cases," concludes the report. Google experts have found two additional samples dating back to December 2023, which pretend to be Maltego software and execute LOSTKEYS but follow a different execution chain.
Uncertainty Surrounds the Origin of Recent LostKeys Samples
"It is currently unclear if these samples from December 2023 are related to COLDRIVER or if the malware was repurposed from a different developer or operation into the activity seen starting in January 2025," concludes the report. This uncertainty highlights the ongoing evolution of cyber threats and the need for continuous monitoring and analysis.
Stay Safe from Malware: Best Practices
To protect yourself against malware like LostKeys, it is essential to maintain a strong cybersecurity posture, including regular software updates, secure password management, and caution when clicking on links or running unknown software. By being aware of these threats and taking proactive measures, you can reduce your risk of falling victim to cyber attacks.
Stay Informed: Follow Our Security Coverage
To stay up-to-date with the latest security news and analysis, follow us on Twitter (@securityaffairs), Facebook, and Mastodon.