216.73.216.133

COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs

· Published 07/05/2025 18:05 · Modified 07/05/2025 21:13

Export JSON

Essential information

Published
07/05/2025 18:05
Modified
07/05/2025 21:13
Tags
2025-05-07 clickfix credential-theft document theft lostkeys ngos phishing powershell spica
Related entities
1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 5 others

Description

Russian government-backed threat group COLDRIVER has developed a new malware called , capable of stealing files and system information. The group targets high-profile individuals, , and former intelligence officers through credential and malware delivery. is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against .

External references