COLDRIVER Using New Malware To Steal Documents From Western Targets and NGOs
Essential information
- Published
- 07/05/2025 18:05
- Modified
- 07/05/2025 21:13
- Tags
- 2025-05-07 clickfix credential-theft document theft lostkeys ngos phishing powershell spica
- Related entities
- 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 5 others
Description
Russian government-backed threat group COLDRIVER has developed a new malware called LOSTKEYS, capable of stealing files and system information. The group targets high-profile individuals, NGOs, and former intelligence officers through credential phishing and malware delivery. LOSTKEYS is delivered through a multi-step infection chain, starting with a fake CAPTCHA and involving PowerShell commands. The malware evades detection in VMs and uses a substitution cipher for decoding. COLDRIVER's primary goal is intelligence collection for Russia's strategic interests, targeting Western governments, militaries, journalists, and Ukraine-related individuals. The group has been linked to hack-and-leak campaigns in the UK and against NGOs.