{
  "name": "Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information",
  "slug": "russian-coldriver-hackers-deploy-lostkeys-malware-to-steal-sensitive-information",
  "description": "The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO governments, NGOs, and former intelligence officers. The malware exfiltrates specific files, harvests system information, and targets individuals linked to Ukraine or Western governments. COLDRIVER's primary goal appears to be intelligence collection aligned with Russia's interests. The infection chain involves a complex multi-stage process, beginning with a fake CAPTCHA and employing various evasion tactics. Google has implemented countermeasures and recommends enhanced security measures for users.",
  "published": "2025-05-10T05:04:37+00:00",
  "created_at": "2025-05-10T05:04:37+00:00",
  "modified_at": "2025-05-12T06:16:07+00:00",
  "created_at_opencti": "2025-05-10T05:04:37+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-10",
    "captcha",
    "intelligence collection",
    "lostkeys",
    "multi-stage infection",
    "nato",
    "ngo",
    "powershell",
    "russian hackers",
    "ukraine",
    "western governments"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:e5278c3cfb6dc35e",
        "name": "LOSTKEYS",
        "slug": "lostkeys"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:232b3b6e9119ba9c",
        "name": "COLDRIVER",
        "slug": "coldriver"
      }
    ],
    "attack_patterns": [
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United Kingdom of Great Britain and Northern Ireland"
      },
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://gbhackers.com/russian-coldriver-hackers-deploy-lostkeys-malware/amp",
    "https://otx.alienvault.com/pulse/681efa85136c18a881af2661"
  ]
}